Re: Workflow for handling security issues in testing

[Niels Thykier <niels@thykier.net>]

Jonathan Nieder:
> Hi,
> 
> [...]
> 


Hi Jonathan,

Just replying to part of your enquiry

> With severity=high, a security fix then takes two more days before it
> hits testing.  Is there a way to expedite it?  My experience with
> https://bugs.debian.org/871823 was "no".
> 
> Is my understanding correct?  Any other points?
> 
> Thanks,
> Jonathan
> 
The 2 days are measured from the first time the package has been made
available by dak.  And then there are some corner cases in how we handle
"aging" that may slightly complicates how "2 days" are defined here.

It is *technically possible* to expedite an upload to migrate faster
than "2 days" (including omitting the delay entirely).  However, at the
moment a signifiant part of our QA relies on the delay to catch
(obvious) mistakes.  As such, we generally reserve such exemptions to
the aging for "very urgent" issues[1].
  I am hoping we will eventually get to a point where the automated QA
tests provided to the testing migration decision can replace the
arbitrary delay we currently use to enable manual testing.  Though I
doubt we are ready to do that any time soon.

Thanks,
~Niels

[1] Deployed as an "urgent"-hint in britney:

https://release.debian.org/doc/britney/hints.html#urgent-action-list