Re: Test uploads for bookworm-security on debusine.debian.net

To: Santiago Ruano Rincón <santiagorr@riseup.net>
Cc: debian-lts@lists.debian.org
Subject: Re: Test uploads for bookworm-security on debusine.debian.net
From: Adrian Bunk <bunk@debian.org>
Date: Thu, 8 May 2025 23:10:14 +0300
Message-id: <aB0PpijL0SEdlG/q@localhost>
In-reply-to: <[🔎] aBzlPhRCKvRNQLWD@voleno>
References: <[🔎] aBuJuB6trnqZk_Ia@voleno> <[🔎] aBzRrz590uySRvF4@localhost> <[🔎] aBzlPhRCKvRNQLWD@voleno>

On Thu, May 08, 2025 at 02:09:18PM -0300, Santiago Ruano Rincón wrote:
> El 08/05/25 a las 18:45, Adrian Bunk escribió:
> > On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote:
> 
> Hi Adrian

Hi Santiago,

> > > Currently, debusine.d.n helps to verify how a packages builds on
> > > different architectures, to run autopkgest (contrary to Salsa CI,
> > > debusine also includes autopkgtest for reverse dependencies), piuparts
> > > and lintian.  You can read more about debusine and setup instructions
> > > at:
> > > https://wiki.debian.org/DebusineDebianNet
> > > 
> > > After you have initially uploaded the packages to debusine (this can be
> > > done easily via dput(-ng)), once everything is OK and have the ACK from
> > > the security team, you can complete the upload providing debusine with a
> > > signed package. (Instructions for this last step will be found in the
> > > workflow created by the upload.)
> > >...
> > 
> > I have a general question about that:
> > 
> > A common situation[1] is that I don't know when preparing the package 
> > whether it will be for pu or DSA.
> > 
> > The status quo is that I finish the package and send the debdiff for 
> > review, and upload the package based on the reply from the security
> > team.
> 
> That is a question for the relevant teams, I guess. My simple answer is:
> if the package is listed in dsa-needed, then you should coordinate with
> the sec team and prepare it for bookworm-security. If all the CVEs you
> are fixing are no-dsa, then it's mostly on the release team +
> maintainers, and prepare a pu.
> 
> There are cases where a pu is being prepared while the package is also
> in dsa-needed. So simple coordination with all the related parties makes
> sense to me.
> 
> Does the above help to answer your question?
>...

unfortunately not, you missed the common case I encountered 5 times last month:
The package does have CVEs that are not no-dsa, but it is not listed in dsa-needed.

That's common when the security team has not yet triaged all new CVEs 
in the package for dsa/no-dsa.

Running autopkgtests in stable days or weeks after I had wrapped up 
working on the package and published the DLA, and after the security
team has checked the debdiff, that's the wrong order.

> Cheers,
> 
>  -- Santiago

cu
Adrian

Reply to:

References:
- Test uploads for bookworm-security on debusine.debian.net
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: Test uploads for bookworm-security on debusine.debian.net
  - From: Adrian Bunk <bunk@debian.org>
- Re: Test uploads for bookworm-security on debusine.debian.net
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Next by Date: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Previous by thread: Re: Test uploads for bookworm-security on debusine.debian.net
Next by thread: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Index(es):
- Date
- Thread