Re: Security releases for ecosystems that use static linking
Thorsten Alteholz wrote:
[ Adding DSA to the CC list ]
> On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote:
> > > One solution which has been discussed in the past is to import a full copy
> > > of stable towards stable-security at the beginning of each release cycle,
> > > but that is currently not possible since security-master is a Ganeti VM
> > > and the disk requirements for a full archive copy would rather require
> > > a baremetal host.
> >
> (... suggestion of Emilio ...)
> >
> > Thoughts?
>
> The idea is nice, but needs someone to implement it.
>
> Anyway, the problem is not really new. Since many years, not to say decades,
> I hear that there is not enough space on security-master.
> I also hear that Debian has so much money and problems to spend it.
> So why not solve this problem by buying new hardware? This can not be that
> difficult. Is there any reason why security-master needs to be a Ganeti VM?
The obvious reason is to avoid hardware refreshes and better redundancy,
but I agree it would be really great to move forward with a solution for
security-master.
The current setup where security.d.o only holds a subset of the archive
has long-standing issues which cause a lot of toil for FTP masters and people
making security uploads:
- Every initial upload of a package using Built-Using needs manual FTP master
interaction
- The need to inclucde full source into the initial upload leads to unneeded
roundtrips when people forget it (and there's also even crazier cornercases like
a new foo.tar.gz for oldstable-security and stable-security at the same time)
- No possibility for binNMUs, leading to a need for sourceful uploads if needed
Cheers,
Moritz
Reply to: