El 08/05/25 a las 18:45, Adrian Bunk escribió: > On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: Hi Adrian > > Currently, debusine.d.n helps to verify how a packages builds on > > different architectures, to run autopkgest (contrary to Salsa CI, > > debusine also includes autopkgtest for reverse dependencies), piuparts > > and lintian. You can read more about debusine and setup instructions > > at: > > https://wiki.debian.org/DebusineDebianNet > > > > After you have initially uploaded the packages to debusine (this can be > > done easily via dput(-ng)), once everything is OK and have the ACK from > > the security team, you can complete the upload providing debusine with a > > signed package. (Instructions for this last step will be found in the > > workflow created by the upload.) > >... > > I have a general question about that: > > A common situation[1] is that I don't know when preparing the package > whether it will be for pu or DSA. > > The status quo is that I finish the package and send the debdiff for > review, and upload the package based on the reply from the security > team. That is a question for the relevant teams, I guess. My simple answer is: if the package is listed in dsa-needed, then you should coordinate with the sec team and prepare it for bookworm-security. If all the CVEs you are fixing are no-dsa, then it's mostly on the release team + maintainers, and prepare a pu. There are cases where a pu is being prepared while the package is also in dsa-needed. So simple coordination with all the related parties makes sense to me. Does the above help to answer your question? > autopkgtest results would be desirable before humans review the debdiff, > should debusine bookworm or bookworm-security or both be used for that? Sure! I'd like to note that the ideal workflow (*) includes reference autopkgtest for reverse dependencies, that will improve the help to identify regressions. See: https://salsa.debian.org/freexian-team/debusine/-/issues/659 So the integration of debusine into our (LTS team) workflows will be done iteratively, including new features once they become available. Another current limitation regarding autopkgtest is that we cannot run the test on the qemu backend, so isolation-machine tests are skipped. See: https://salsa.debian.org/freexian-team/debusine/-/issues/803 (*) we are not there yet If you test debusine.d.n, and you have find any issue, please reach out to the debusine team via #debusine @irc.oftc.net, or via salsa issues. Cheers, -- Santiago
Attachment:
signature.asc
Description: PGP signature