Re: Test uploads for bookworm-security on debusine.debian.net

To: Chris Lamb <lamby@debian.org>
Cc: Bastien Roucariès <rouca@debian.org>, Jérémy Lal <kapouer@melix.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Test uploads for bookworm-security on debusine.debian.net
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Wed, 7 May 2025 14:18:55 -0300
Message-id: <[🔎] aBuV__t3DafmFOT9@voleno>
In-reply-to: <[🔎] ad51cf1d-2c1e-4de2-8192-0104e04d16e7@app.fastmail.com>
References: <[🔎] aBuJuB6trnqZk_Ia@voleno> <[🔎] ad51cf1d-2c1e-4de2-8192-0104e04d16e7@app.fastmail.com>

Hi Chris,

(Moving the secteam to BCC, to avoid spamming them too much afterwards.)

El 07/05/25 a las 09:36, Chris Lamb escribió:
> Hey Santiago,
> 
> > According to dsa-needed.txt, nodejs and python-django are being
> > prepared by rouca and lamby, respectively.
> >
> > Could you please tell me if you are willing to test those uploads for
> > bookworm-security?
> 
> For sure. Django would be a good test as it has a large number of
> reverse-deps, and has at least twice found potential in updates to the
> Python runtime.

Great, thank you.

> In fact, a new CVE for Django was released a few hours ago
> (CVE-2025-32873) so we have something to test it with immediately,
> even if we did not want to include/test all of the lower-priority,
> outstanding issues.

I don't have a say on the priority and severity of CVE-2025-32873 for
stable, which I see hasn't been triaged yet ("moderate" according to
upstream). I would coordinate with the secteam which is the best
approach there (what set of CVEs you would like to fix in the next
upload).

That said, one of the tests that is needed in debusine.d.n is to check
if the provided signed package is correctly uploaded to security-master.
Which means, the proper final package, and not a preliminary version.

> > As a side note, any debian developer can currently use debusine.d.n.
> > There are upload-to-unstable and -experimental workflows available, and
> > the debusine team is looking for feedback about how does it work.
> 
> Shall I take this is as a request to try the upload-to-experimental
> workflows in particular?
> 
> I ask because, with the release of today's CVE, Django is pending an
> update for all upload targets (jessie, stretch, buster, bullseye,
> bookworm, sid & experimental).

My current request is mostly for bookworm.  But you are for sure more
than welcome to test it for experimental and unstable.

For ELTS, we will handle that separately on Freexian's infrastructure,
but the workflows are not yet ready.

Don't hesitate to ask if you have more questions.

Thanks,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Test uploads for bookworm-security on debusine.debian.net
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: Test uploads for bookworm-security on debusine.debian.net
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: Bug#1104484: libapache2-mod-auth-openidc: CVE-2025-3891
Next by Date: Re: Test uploads for bookworm-security on debusine.debian.net
Previous by thread: Re: Test uploads for bookworm-security on debusine.debian.net
Next by thread: Re: Test uploads for bookworm-security on debusine.debian.net
Index(es):
- Date
- Thread