We need to consider the following dak limitations for security updates:
- buildd handling is broken for security updates which share the orig.tar.gz in oldstable and stable. Typically we first release the stable version in such cases and follow up with oldstable after the DSA release.
- Initial uploads of packages to security-master need to be built with "-sa" to include the orig.tar.gz. Otherwise the package will be rejected. If a new package is uploaded with "-sa" and it requires another update before release, the "foo-x.y-1" release needs to rejected and the "foo-x.y-2" be reuploaded with "-sa" again. Otherwise there are weird failures when the buildd's fetch source.
dak mails are only sent to team@security.debian.org and not to the uploader (typically the maintainer).
- DM maintainers cannot upload to security-master, while they can upload to ftp-master.