[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

staging security updates

On 2016-04-28 02:54:36, Brian May wrote:
> - Created private signed repository for staging my proposed updates for
>   testing. https://people.debian.org/~bam/debian/

So I've been thinking about this as well, and this seems to be a
resource we all need and should figure out a way to implement in a
broader scope.

Right now, i also have my own ad-hoc repo on people.debian.org, but I
haven't made the jump of deploying reprepro out there, and before I do
that, I figured it would be nice to discuss with others how best to
implement this collectively.

For me, the requirement is to have an archive where we can publish
non-embargoed security upgrades for broader testing before it migrates
in the regular security suite. Optionally, it could also (reproducibly?)
build the packages for all supported architectures.

I've looked at Debomatic just to get things out the door, but I'm still
waiting for accesses there. Because it's not an official project and
it doesn't bridge with our existing authentication mechanisms, that
doesn't seem to be an option that works well just yet. Plus the suites
are setup weirdly[1] and there and there's no "wheezy" suite.

 [1] http://debomatic-amd64.debian.net/debomatic/jessie-backports/dists/jessie-backports/

Could we have a proposed-updates suite for security the same way we have
for stable point releases? I know we generally want to push security
updates out as quickly as possible, but some issues are very public
already and we sometimes lag enough that it doesn't matter that we take
a few more days giving the chance people to test things first. This is
especially relevant with LTS where we generally *are* lagging behind
updates, basically by design.

I know there's a sensitive issue of using Debian infrastructure for
consulting at play here. Maybe we can flip that around and actually
*leverage* LTS sponsors to make something work for Debian as a whole. :)

Is that crazy? Not a new idea? Flamebait? Thanks for any feedback. :)


In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
                        - Tom Lehrer

Reply to: