On Thu, Nov 30, 2017 at 11:59:26AM +0100, Raphael Hertzog wrote: > Hello Moritz, > > On Wed, 09 Mar 2016, Moritz Muehlenhoff wrote: > > (This is a first high level view, the exact requirements can be hashed > > out later.) > > It would be good to go a bit into more details now. > > > It would be great to have a simple (single command) method to simplify > > testing security updates. Right now these need to copied manually to > > the respective test hosts. If it's not available via apt, this is a > > problem for many people since they are unable to find out which binary > > packages are installed and how to update them via dpkg. > > > > There should be a method to allow > > - publishing a public security issue to a permanent staging repository > > ala jessie-security-staging, which people can keep in their apt source > > > > - publishing an non-public security issue to a protected apt > > repository to simplify testing for members of the security team > > Are you only asking for two repositories that can be targetted with > dput? Or are you asking for more?
No, this is unrelated to upload queues. This needs a script/ dak command which allows to copy an existing update to the staging repository (which people can add to their apt sources). There's multiple use cases for public vulnerabilities: - For a public vulnerability there's a delay between the initial upload to security-master and until all builds have arrived, advisory text written etc. During that period the packages would be available for pre-release testing (for interested users). - For some packages we rely on external testers since a practical test is too difficult to replicate. Right now we must copy those packages manually to people.debian.org, having such a public repo would make this also much simpler for people to test. So having a command like "dak-publish-staging emacs25" would simplify this a lot. Packages should be pruned from the staging repo when packages get installed via "dak new-security-install". In addition we sometimes also need to pass selected not-yet-public security fixes to testers (and also to simply testing ourselves). For that it would be nice to selectively push into a separate repository which is only accessible with a key. But that is more icing on the cake, the important bit is the implementaton of the public staging repo. Let me know if you have more questions or further details are necessary. Cheers, Moritz