Re: Workflow for handling security issues in testing

2018-05-31 Thread Jonathan Nieder 
Hi Niels,

Niels Thykier wrote:
> Jonathan Nieder:

>> With severity=high, a security fix then takes two more days before it
>> hits testing.  Is there a way to expedite it?  My experience with
>> https://bugs.debian.org/871823 was "no".
[...]
> The 2 days are measured from the first time the package has been made
> available by dak.  And then there are some corner cases in how we handle
> "aging" that may slightly complicates how "2 days" are defined here.
>
> It is *technically possible* to expedite an upload to migrate faster
> than "2 days" (including omitting the delay entirely).  However, at the
> moment a signifiant part of our QA relies on the delay to catch
> (obvious) mistakes.  As such, we generally reserve such exemptions to
> the aging for "very urgent" issues[1].

Thanks.  That helps.

Git appears to have been blocked today by
https://alioth-lists.debian.net/pipermail/piuparts-devel/2018-May/007797.html.
Would an "urgent" hint have prevented that?

I would like to see the update in unstable to protect users.  For
example, see [2].  I don't think most users of testing realize that
they also need to include stable-backports in sources.list to get
security fixes.  That said, by the time you read this message it's
likely that it will have auto-migrated. :)

>   I am hoping we will eventually get to a point where the automated QA
> tests provided to the testing migration decision can replace the
> arbitrary delay we currently use to enable manual testing.  Though I
> doubt we are ready to do that any time soon.

For next time, if I have done sufficient testing (manual piuparts run,
having internal users use it in daily life, etc) privately during the
embargo period, should I file a bug against the release.debian.org to
make an "urgent" hint when the embargo expires?

Thanks,
Jonathan

> [1] Deployed as an "urgent"-hint in britney:
>
> https://release.debian.org/doc/britney/hints.html#urgent-action-list
[2] 
https://blog.npmjs.org/post/174411769410/how-npm-is-affected-by-the-recently-disclosed-git.

Workflow for handling security issues in testing

2018-05-30 Thread Jonathan Nieder 
Hi,

https://security-tracker.debian.org/tracker/CVE-2018-11235
(https://public-inbox.org/git/xmqqy3g2flb6@gitster-ct.c.googlers.com/)
reminded me that I don't fully understand the process for handling
embargoed security issues in sid and testing.

When preparing updates for an embargoed issue in stable
(https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security),
the packager uploads to security-master and auto-builders are able to
build for supported platforms before the embargo expires.  Once the
embargo expires, the package is released and available quickly for
users to upgrade.

After preparing updates for an embargoed issue in sid, the packager
uploads to ftp-master once the embargo expires.  There is an additional
delay for auto-builders to build the package before the binary package
is available, unless the packager prepares binary packages locally in
advance and uploads them as well.  Is that the recommended practice?

With severity=high, a security fix then takes two more days before it
hits testing.  Is there a way to expedite it?  My experience with
https://bugs.debian.org/871823 was "no".

Is my understanding correct?  Any other points?

Thanks,
Jonathan

Build-depending on the linux-source package (Re: Bug#605090: Linux 3.2 in wheezy)

2012-02-01 Thread Jonathan Nieder 
Bastian Blank wrote:

> Since 3.1 or so it is not longer possible to use this package as source
> in terms of the GPL like the udebs have done for several releases.

The Built-Using field[1] can take care of that, at least for debs.  (I
don't know about udebs.)

[1] http://bugs.debian.org/641153


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120201190556.GA28314@burratino