Re: Auto-update for sid? Auto-backport?

To: debian-devel@lists.debian.org
Subject: Re: Auto-update for sid? Auto-backport?
From: Russ Allbery <rra@debian.org>
Date: Thu, 16 Nov 2017 08:52:21 -0800
Message-id: <[🔎] 87wp2q5fp6.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20171116154118.igjf6zelqryxkkwn@an3as.eu> (Andreas Tille's message of "Thu, 16 Nov 2017 16:41:18 +0100")
References: <[🔎] f6db377a-b082-fa64-29c7-e29d931aeb8c@gmx.de> <[🔎] 87a7zn31cf.fsf@iris.silentflame.com> <[🔎] A2A20EC3B8560D408356CAC2FC148E53BB4876B9@SUN-DAG3.synchrotron-soleil.fr> <[🔎] 87h8tvxvik.fsf@hope.eyrie.org> <[🔎] 20171116154118.igjf6zelqryxkkwn@an3as.eu>

Andreas Tille <andreas@an3as.eu> writes:

> I think Steffen's point was that all the hideousness you are talking
> about was solved in version a.b.c of the software and if version
> a.b.(c+1) builds and passes our test suite it will most probably not
> have changed.

Oh, yeah, to be clear, I don't have any objections to that part.  Just to
the idea that upstream in general can just maintain the Debian packaging,
or that we want to move in that direction.  A good Debian package
maintainer should still keep an eye on it and update the packaging for
Debian best practices.  But that can be on an independent cadence from the
upstream releases.

We do lose some manual review, but I also question how much we're doing
manual review now.

I would only want to do this with packages that have upstream signatures,
though.  We get some amount of timing-based security from Debian
maintainers downloading the packages whenever they get around to it, since
it's then not predictable when the upstream package will be downloaded and
only persistent compromises of upstream's distribution mechanism are
likely to be effective.  If we're automatically pulling new releases, that
can be more predictable and can open us up to ingesting and building
transient compromised packages.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Auto-update for sid? Auto-backport?
  - From: Steffen Möller <steffen_moeller@gmx.de>
- Re: Auto-update for sid? Auto-backport?
  - From: Sean Whitton <spwhitton@spwhitton.name>
- RE:Auto-update for sid? Auto-backport?
  - From: PICCA Frederic-Emmanuel <frederic-emmanuel.picca@synchrotron-soleil.fr>
- Re: Auto-update for sid? Auto-backport?
  - From: Russ Allbery <rra@debian.org>
- Re: Auto-update for sid? Auto-backport?
  - From: Andreas Tille <andreas@an3as.eu>

Prev by Date: Bug#881927: ITP: pspg -- PostgreSQL pager
Next by Date: Re: Auto-update for sid? Auto-backport?
Previous by thread: Re: Auto-update for sid? Auto-backport?
Next by thread: Re: Auto-update for sid? Auto-backport?
Index(es):
- Date
- Thread