Workflow for handling security issues in testing

To: debian-security@lists.debian.org
Cc: debian-release@lists.debian.org
Subject: Workflow for handling security issues in testing
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Wed, 30 May 2018 09:04:40 -0700
Message-id: <[🔎] 20180530160340.GA50693@aiede.svl.corp.google.com>

Hi,

https://security-tracker.debian.org/tracker/CVE-2018-11235
(https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/)
reminded me that I don't fully understand the process for handling
embargoed security issues in sid and testing.

When preparing updates for an embargoed issue in stable
(https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security),
the packager uploads to security-master and auto-builders are able to
build for supported platforms before the embargo expires.  Once the
embargo expires, the package is released and available quickly for
users to upgrade.

After preparing updates for an embargoed issue in sid, the packager
uploads to ftp-master once the embargo expires.  There is an additional
delay for auto-builders to build the package before the binary package
is available, unless the packager prepares binary packages locally in
advance and uploads them as well.  Is that the recommended practice?

With severity=high, a security fix then takes two more days before it
hits testing.  Is there a way to expedite it?  My experience with
https://bugs.debian.org/871823 was "no".

Is my understanding correct?  Any other points?

Thanks,
Jonathan

Reply to:

Follow-Ups:
- Re: Workflow for handling security issues in testing
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#898934: transition: libmygpo-qt
Next by Date: Re: Workflow for handling security issues in testing
Previous by thread: Packages kept in testing due to d-i despite being removed in unstable
Next by thread: Re: Workflow for handling security issues in testing
Index(es):
- Date
- Thread