Niels Thykier writes ("Re: ftpmaster data for security.debian.org"):
> On Sat, 5 Nov 2016 18:05:08 +0000 Ian Jackson
> <[email protected]> wrote:
> > Package: ftp.debian.org
> >
> > dgit cannot currently work properly with packages from security.d.o.
...
> There are some limitations on what we can expose from security.d.o since
> it also contains embargoed uploads.
Indeed.
There are two relevant bug reports, #843307 and #862105, which
correspond to different levels of support from s.d.o and therefore
have different benefits. I have CC'd #862105 too so I can provide the
full context for both.
#843307 is a request for better support for public, read-only,
access. Currently dgit works with s.d.o by downloading the whole of
the Sources, which is quite inefficient (and has some lag too).
Re #843307, the relevant ftpmaster API methods are these:
suites
dsc_in_suite/$isuite/$package
But as you suggest, they would only need to provide information about
published packages. I think this corresponds to a filter on suites ?
So it would be sufficient to limit access to dsc_in_suite. (The
existence of embargoed suites is presumably not secret.)
#862105 is about the desirability of supporting a git workflow for
security updates. I think I don't understand the s.d.o process well
enough to be confident of what the relevant pieces would look like.
I _think_ that there would have to be, at least, a private git server
or private git tree; and some kind of automatic machinery for
publishing the git branch when the embargo is lifted. (There is
already machinery for private git trees for NEW packages but this
would have to be separate, since it would live in parallel to the main
git tree.)
The person doing the dgit push of a security update (ie, the security
upload) would probably need to be able to see the git tree for that
package, and its archive metadata.
> * What parts of the API do you need?
For pushes, I call the following methods:
suites
dsc_in_suite/$isuite/$package
file_in_archive/[ pattern which matches exactly a specific .orig ]
Perhaps it would be worth talking about this on irc or something.
Ian.
