[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #Auto-Update: yes|no|minorversion for d/control?

Hi Andrius,

On Mon, Jun 10, 2019 at 06:40:42AM +0300, Andrius Merkys wrote:
> This sounds tempting. Upstreams of quite a bunch of packages are
> well-behaved and could be trusted to produce non-breaking updates, at least
> for patch and minor versions. What worries me are license changes and
> security issues. While the former could be formally detected
> (licensecheck), the entry threshold for potential backdoors would be
> lowered by auto-updates (man-in-the-middle and the like). I'd trust only
> GPG-signed release tarballs.

To my perception signed release tarballs are quite some minority.
Several upstreams were convinced to provide release tarballs at all.
The current situation is that I'm doing lots of updates
semi-automatically using routine-update[1].  For me this is a good
compromise between spending not too much time for an upgrade (which for
instance can be done while sitting in some meeting that might not need
my full attention) and full automatisation which is probably hard to
approach.  For me it is questionable whether the time that needs to be
spent into **real** automatisation can be brought back by this

The current status of not yet updated packages it mostly due to the
freeze and will be solved after Buster is released in about 1-2 months.

Kind regards


[1] https://salsa.debian.org/r-pkg-team/maintenance-utilities/blob/master/routine-update


Reply to: