Debian Security Advisory package builds are not incorporated ASAP

[jonnyowenpowell]

Describe the bug The new version of an updated package is required by the CI workflow to be present for all architectures.

Debian Security Advisories are sometimes published without a build of the package for some of the less common architectures, to secure a large percentage of their users sooner. See details here.

By requiring builds be present for all architectures, distroless currently breaks the ASAP delivery of the fix.

To Reproduce Steps to reproduce the behavior:

An example of this can be seen in #1229, when DSA-5343-1 was released without a build for armhf. This delayed the release of the fix for other architectures by ~24 hours.

Expected behavior A clear and concise description of what you expected to happen.

Package builds released with a DSA are incorporated into distroless for each architecture independently.

Console Output If applicable, add information from your container run

Additional context There is a DSA mailing list which could be useful for this work.

[loosebazooka]

Yeah this is a known issue that we occasionally run into. The "package manager" needs a rework.