Hi Niels,
Niels Thykier wrote:
> Jonathan Nieder:
>> With severity=high, a security fix then takes two more days before it
>> hits testing. Is there a way to expedite it? My experience with
>> https://bugs.debian.org/871823 was "no".
[...]
> The 2 days are measured from the first time the package has been made
> available by dak. And then there are some corner cases in how we handle
> "aging" that may slightly complicates how "2 days" are defined here.
>
> It is *technically possible* to expedite an upload to migrate faster
> than "2 days" (including omitting the delay entirely). However, at the
> moment a signifiant part of our QA relies on the delay to catch
> (obvious) mistakes. As such, we generally reserve such exemptions to
> the aging for "very urgent" issues[1].
Thanks. That helps.
Git appears to have been blocked today by
https://alioth-lists.debian.net/pipermail/piuparts-devel/2018-May/007797.html.
Would an "urgent" hint have prevented that?
I would like to see the update in unstable to protect users. For
example, see [2]. I don't think most users of testing realize that
they also need to include stable-backports in sources.list to get
security fixes. That said, by the time you read this message it's
likely that it will have auto-migrated. :)
> I am hoping we will eventually get to a point where the automated QA
> tests provided to the testing migration decision can replace the
> arbitrary delay we currently use to enable manual testing. Though I
> doubt we are ready to do that any time soon.
For next time, if I have done sufficient testing (manual piuparts run,
having internal users use it in daily life, etc) privately during the
embargo period, should I file a bug against the release.debian.org to
make an "urgent" hint when the embargo expires?
Thanks,
Jonathan
> [1] Deployed as an "urgent"-hint in britney:
>
> https://release.debian.org/doc/britney/hints.html#urgent-action-list
[2]
https://blog.npmjs.org/post/174411769410/how-npm-is-affected-by-the-recently-disclosed-git.