Hi,
it shouldn't be a no-source-change upload though — there also needs to be
a way to enforce building against a fixed version of dependencies,
preferably one that also works for backported security fixes.
A horrible but maybe viable approach would be that a security upload
Provides a name containing the DSA number, and dependent packages
Build-Depend on that and provide their own, i.e.:
Package: static-foo-dev
Provides: static-foo-dev-dsa-12345
and in the dependent package:
Source: bar
Build-Depends: static-foo-dev (>= some version), static-foo-dev-dsa-12345
Package: static-bar-dev
Provides: static-bar-dev-dsa-12345
With this, the buildds would order the builds correctly.
Simon
