Re: Killing policy queues
On Wed, May 30, 2012 at 09:45:37AM +0200, Joerg Jaspert wrote:
> On 12861 March 1977, Ansgar Burchardt wrote:
> > Advantages:
> > - Less ways to handle package installation.
> > - Signature checked when the package arrives in the archive, not again
> > when it is accepted from the policy queues.
In practice, would that improve anything re the current issues with
buildd's keys expiration?
> > - We can generate Packages/Sources for policy queues[2].
There is a long-standing idea of allowing one or some updates to be
"pre-released" so that some people could test them in advance.
This has been done for both embargoed and unembargoed issues, usually
by copying the files to some protected directory.
If this change could help us achieve that, it would be great.
> > Disadvantages:
> > - Release and security team likely need to update their tools.
>
> And backports too.
Unless some team member has its own tool or something, us (the sec
team) don't have any tools that rely on anything besides dak ls, and
one that looks for debs and changes in some dir (currently, the queues.)
> You need to ensure that $otherteams can "accept/reject" packages from
> the new place into their suite. And only there. Which the tools currently
> can't. And that things like automatic-late accept[1] work. (Similar for
> rejects). (And mail notifications)
>
> But beside that, we don't guarantee the actual way of doing things, just
> that they can do these things, so if it makes lotsa more sense for us to
> change it...
This is pretty much our workflow re-dak and some misc issues.
https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull
And yes, we love the auto accept/reject feature :)
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: