[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux Core Consortium

* Brian Nelson 

| Anyone, developer or non-developer, can help fix toolchain problems.
| However, the only people who can work on the testing-security
| autobuilders are ... the security team and the ftp-masters?  What's
| that, a handful of people?  With a bottleneck like that, isn't that a
| much more important issue?

The problem is not the autobuilder infrastructure per se.  It is that
testing and unstable are largely in sync (!).  This, combinded with the
fact that testing must not have versions newer than unstable (they
will then be rejected) means testing-security wouldn't work at the

If the above is a tad unclear, consider this case:

Package: foo
Version: 1.0-1 (in both testing and unstable)

This has a security bug, and the security team uploads 1.0-1sarge0
with «testing» in the changelog.  This works fine on
security.debian.org and is mapped to the testing-security repository.
Then security.debian.org uploads to ftp-master, but the upload is
rejected because of the version mismatch.

We have exactly the same problem with stable, but stable and unstable
are a lot less in sync than testing and unstable, so we don't see the
problem as much.

There are a few ways to solve those problems, they are being explored
and worked on, but none of them are pretty.

Thanks a lot to both Daniel Silverstone and Colin Watson for their
helpful explanations about this.  (And a good meal.)

Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 

Reply to: