Re: Workflow for handling security issues in testing

To: Jonathan Nieder <jrnieder@gmail.com>, debian-release@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: Workflow for handling security issues in testing
From: Niels Thykier <niels@thykier.net>
Date: Mon, 04 Jun 2018 05:55:00 +0000
Message-id: <[🔎] 32ab05b8-81f3-7f4d-63ce-c4c2f1096401@thykier.net>
In-reply-to: <[🔎] 20180601053627.GC111965@aiede.svl.corp.google.com>
References: <20180530160340.GA50693@aiede.svl.corp.google.com> <32ac4d52-ad7a-442a-0381-c4137a52c59a@thykier.net> <[🔎] 20180601053627.GC111965@aiede.svl.corp.google.com>

Jonathan Nieder:
> Hi Niels,
> 
> Niels Thykier wrote:
>> Jonathan Nieder:
> 
>>> With severity=high, a security fix then takes two more days before it
>>> hits testing.  Is there a way to expedite it?  My experience with
>>> https://bugs.debian.org/871823 was "no".
> [...]
>> The 2 days are measured from the first time the package has been made
>> available by dak.  And then there are some corner cases in how we handle
>> "aging" that may slightly complicates how "2 days" are defined here.
>>
>> It is *technically possible* to expedite an upload to migrate faster
>> than "2 days" (including omitting the delay entirely).  However, at the
>> moment a signifiant part of our QA relies on the delay to catch
>> (obvious) mistakes.  As such, we generally reserve such exemptions to
>> the aging for "very urgent" issues[1].
> 
> Thanks.  That helps.
> 
> Git appears to have been blocked today by
> https://alioth-lists.debian.net/pipermail/piuparts-devel/2018-May/007797.html.
> Would an "urgent" hint have prevented that?
> 

No.  A "ignore-piuparts" hint could have done it (but we would probably
have preferred waiting for the retest, which you requested).

> [...]>>   I am hoping we will eventually get to a point where the automated QA
>> tests provided to the testing migration decision can replace the
>> arbitrary delay we currently use to enable manual testing.  Though I
>> doubt we are ready to do that any time soon.
> 
> For next time, if I have done sufficient testing (manual piuparts run,
> having internal users use it in daily life, etc) privately during the
> embargo period, should I file a bug against the release.debian.org to
> make an "urgent" hint when the embargo expires?
> 
> Thanks,
> Jonathan
> 
> [...]
Historically, we tend to prefer "age-days 2" over "urgent" to ensure
some basic level of testing; I suspect that is what you would end up
getting in the general case if you requested an "urgent"-hint.
  Changing this will require a lot more maturity in our autopkgtests
infrastructure: primarily a majority of all packages having useful
autopkgtests and autopkgtests regressions being a testing blocker.  At
that point we will probably start to become more likely to waive the
aging requirement for packages with fixes for security issues.  But even
then that does not imply that there will be a general carte blanch
exemption on the QA tests for these packages (i.e. I expect that
autopkgtests, piuparts, etc. should still pass).

But on a related note: I have considered Philipp's idea of importing
data from the security-tracker and I think that is a good idea.  For
now, we could use it to automatically bump the urgency and as the QA
matures, we could eventually use it to waive the age requirement
entirely for packages with sufficient levels of automated QA (that passes).

Thanks,
~Niels

Reply to:

References:
- Re: Workflow for handling security issues in testing
  - From: Jonathan Nieder <jrnieder@gmail.com>

Prev by Date: Upcoming oldstable point release (8.11)
Next by Date: Processed: block 900111 with 900787 900789 900103
Previous by thread: Re: Workflow for handling security issues in testing
Next by thread: Bug#896667: It is safe to assume that source only uploads will build against the r-api-3.5? (Was: Bug#896667: transition: r-base-3.5)
Index(es):
- Date
- Thread