On Thu, Nov 30, 2017 at 11:59:26AM +0100, Raphael Hertzog wrote:
> Hello Moritz,
>
> On Wed, 09 Mar 2016, Moritz Muehlenhoff wrote:
> > (This is a first high level view, the exact requirements can be hashed
> > out later.)
>
> It would be good to go a bit into more details now.
>
> > It would be great to have a simple (single command) method to simplify
> > testing security updates. Right now these need to copied manually to
> > the respective test hosts. If it's not available via apt, this is a
> > problem for many people since they are unable to find out which binary
> > packages are installed and how to update them via dpkg.
> >
> > There should be a method to allow
> > - publishing a public security issue to a permanent staging repository
> > ala jessie-security-staging, which people can keep in their apt source
> >
> > - publishing an non-public security issue to a protected apt
> > repository to simplify testing for members of the security team
>
> Are you only asking for two repositories that can be targetted with
> dput? Or are you asking for more?
No, this is unrelated to upload queues. This needs a script/ dak command
which allows to copy an existing update to the staging repository (which
people can add to their apt sources).
There's multiple use cases for public vulnerabilities:
- For a public vulnerability there's a delay between the initial upload
to security-master and until all builds have arrived, advisory text written
etc. During that period the packages would be available for pre-release
testing (for interested users).
- For some packages we rely on external testers since a practical test
is too difficult to replicate. Right now we must copy those packages
manually to people.debian.org, having such a public repo would make this
also much simpler for people to test.
So having a command like "dak-publish-staging emacs25" would simplify
this a lot. Packages should be pruned from the staging repo when packages
get installed via "dak new-security-install".
In addition we sometimes also need to pass selected not-yet-public
security fixes to testers (and also to simply testing ourselves). For
that it would be nice to selectively push into a separate repository
which is only accessible with a key. But that is more icing on the
cake, the important bit is the implementaton of the public staging
repo.
Let me know if you have more questions or further details are necessary.
Cheers,
Moritz
