Re: Rebasing Ghostscript to 9.25 for stretch-security and add further security patches (running autopkgtests where available?)
On Sat, Nov 03, 2018 at 04:31:08PM +0100, Paul Gevers wrote:
> Hi Salvatore,
> [Added the CI-team list instead of the private e-mail of Antonio]
> On 02-11-18 22:57, Salvatore Bonaccorso wrote:
> > I would be interested to see if we can get help as well (who?) to get
> > all build-rdeps of ghostscripts rechecked, and are possibly as well
> > some autopkgtests possible? Who can be contacted to do those tests?
> > I do not have the infrastructure available to do those tests.
> I assume you mean bandwidth and CPU power as installing debci should be
> enough to "have the infrastructure". Debian does have AWS credits (that
> is what we are using to run ci.d.n) so one could create a instance just
> for testing this.
Yes, badnwith and CPU power but as well "timewise". I explain: I was
hoping you have already something out of the box where you can trow in
a package, and say in which suite it should be tested.
> > I'm Cc'ing Paul and Antonio in the hope they can help doing such a
> > (even if handcrafted) test for the updated ghostscript packages for
> > stretch specifically.
> We can help a bit. I plan to add stretch to the supported suites on
> ci.d.n soon, because I want to test p-u. However, we can (or better, I
> want) only test what's in official Debian archives. If you can think of
> a proper archive where you could upload the package you want to test,
> I'll try to make time to test it on ci.d.n (but I am keeping an eye on
> the perl transition at the moment).
The problem is I do not feel yet confortable to upload it (and once we
do I we plan to do it via security.d.o so the buildd and embargoed
queues will be not accessible by ci.d.n -- I know there is discussion
on actually going a great step forward and have ci tests as well for
security). My local tests went fine so far, but it is after all a new
upstream import to stable from 9.20~dfsg-3.2+deb9u5 to 9.25 based so
there is some risk potential.
Once I get some more internal testing I will ask users as well via
debian-security list to test and report feedback.