Hi Raphael, On Thu, Nov 30, 2017 at 11:59:26AM +0100, Raphael Hertzog wrote: > Hello Moritz, > > On Wed, 09 Mar 2016, Moritz Muehlenhoff wrote: > > (This is a first high level view, the exact requirements can be hashed > > out later.) > > It would be good to go a bit into more details now. > > > It would be great to have a simple (single command) method to simplify > > testing security updates. Right now these need to copied manually to > > the respective test hosts. If it's not available via apt, this is a > > problem for many people since they are unable to find out which binary > > packages are installed and how to update them via dpkg. > > > > There should be a method to allow > > - publishing a public security issue to a permanent staging repository > > ala jessie-security-staging, which people can keep in their apt source > > > > - publishing an non-public security issue to a protected apt > > repository to simplify testing for members of the security team > > Are you only asking for two repositories that can be targetted with > dput? Or are you asking for more?
No not really a second dput upload. We were thinking of: once a package is in the embargoed policy queue and the issues for the respective packages are public, via a dak command(?) publish/stage them in say a "$odename-security-proposed-updates" (or in Moritz's words $codename-security-staging) suites which can be configured by users and which has these selectively choosen packages apt installable. > Do you have any idea of how the authentication would work for the > non-public repository? This has yet to be though of how this can be done. This just as quick followup, sure Moritz will comment as well. Regards, Salvatore