[00:20] <blahdeblah> ^
[13:41] <ahasenack> hi #security, when a package in a stable release is, say, 1.0-1, and you need to issue a security update, but that security update is just a rebuild
[13:41] <ahasenack> do you call the rebuild 1.0-1build1, or something else?
[13:41] <ahasenack> there is no added patch, so in principle it shouldn't warrant an ubuntu suffix
[14:08] <mdeslaur> ahasenack: we could, but we usually don't
[14:08] <ahasenack> usually don't what?
[14:08] <mdeslaur> ahasenack: our automated tooling just uses our usual security update "ubuntu" version string
[14:08] <ahasenack> oh, so you would call it 1.0-1ubuntu0.1?
[14:09] <mdeslaur> yes, even if we could use "build"
[14:09] <ahasenack> ok, but you wouldn't mind if we used 1.0-1build1?
[14:09] <mdeslaur> nope, wouldn't mind at all, though you probably want 1build0.1 just to be sure
[14:09] <ahasenack> (bar other upgrade issues that might arise, but let's assume I checked)
[14:10] <ahasenack> is there precedence for using 1build0.1?
[14:10] <sdeziel> isn't using "build" risking to conflict with a fresher import from debian?
[14:10] <mdeslaur> we do that so we don't collide with later releases that may have gotten a build1 during the dev cycle
[14:11] <ahasenack> but it's a stable release, not devel
[14:11] <ahasenack> and later stable releases have a new upstream version
[14:11] <mdeslaur> so, in what I'm describing is for stable releases, not the dev release
[14:11] <ahasenack> (in this particular case)
[14:11] <ahasenack> ok, let me layout the actual package
[14:11] <mdeslaur> ahasenack: if you look at the publishing history, and there was never a build1, sure, you can use build1
[14:12] <ahasenack> https://pastebin.ubuntu.com/p/69vJC7Bvdy/
[14:12] <ahasenack> would you still prefer 1build0.1?
[14:12] <mdeslaur> ok, looks like there was never a 1.0.5-1build1 https://launchpad.net/ubuntu/+source/go-md2man/+publishinghistory
[14:13] <mdeslaur> you can use build1 if you like
[14:13] <mdeslaur> using 0.1 vs 1 is just to minimize the chance of colliding with the package history
[14:13] <ahasenack> k
[14:14] <ahasenack> it's even gone from devel
[14:14] <ahasenack> jammy even
[14:14] <ahasenack> k
[17:49] <JanC> sdeziel: imports from Debian are always rebuilds, so theoretically... shouldn't all buildN suffixes from Debian be dropped?  :)