Andreas Metzler writes ("Re: security-uploads & tooling (Re: Bug#1127616:
developers-reference: should document using git-debpush to upload)"):
> On 2026-02-12 Holger Levsen <[email protected]> wrote:
> [...]
> > more seriously, the only difference between normal uploads and uploads
> > to security master is the upload host. thats really all.
>
> No, I guess the complicated bit is [...]
No. The difficulty is not to do with origs.[1]
But, contrary to what Marc says, it *is* significantly more
complicated to implement.
The situation is explained in
#1050143 dgit: support uploading to security-master
which in turn is blocked by
#862105 Please enable me to support dgit push
against security.debian.org.
The root of the difficulty is that security uploads can be embargoed.
So there needs to be machinery for keeping them secret for the right
amount of time. That means (a) a git server with secret repos, or
secret branches, or soemthing, which is a thing we can do, but also
(b) some kind of way for that git server to find out which things it
should make public, and when.
Ian.
[1] src:dgit already has many epicycles[2] to deal with the legacy
archives' bizarre behaviours with respect to origs. I think those
epicycles would be sufficient, but we can always add more...
[2] https://en.wikipedia.org/wiki/Deferent_and_epicycle
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
