Hi, On Wed, Mar 09, 2016 at 07:36:02PM +0100, Moritz Muehlenhoff wrote: > Package: ftp.debian.org > Severity: wishlist > > This was discussed at one of the past security team meetings, but > there was never a bug for that: > > (This is a first high level view, the exact requirements can be hashed > out later.) > > Right now to release a security update one needs shell access on > security-master. It would be great to allow the release of a security > update via a PGP-signed control message (similar to how changes files > need to be signed to allow uploads). > > The next step would then be an ACL mechanism where trusted DDs can be > granted the possibility to release DSAs on their own (after the > security team having acked the debdiff). (This also needs some tweaks > for the debian-security-announce moderation script, but that's > unrelated to this task.
We had several occasions where such a feature would have been of use (e.g. for realising specific set of packages, where we rely on every update on the respective maintainer to preare an update, firefox-esr is such a case, where it is always then proxyied via a team member). Is this maybe something which could be reached by funding and supporting a paid contributor? Regards, Salvatore
