Re: Workflow for handling security issues in testing

To: debian-release@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: Workflow for handling security issues in testing
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Thu, 31 May 2018 22:36:27 -0700
Message-id: <[🔎] 20180601053627.GC111965@aiede.svl.corp.google.com>
In-reply-to: <32ac4d52-ad7a-442a-0381-c4137a52c59a@thykier.net>
References: <20180530160340.GA50693@aiede.svl.corp.google.com> <32ac4d52-ad7a-442a-0381-c4137a52c59a@thykier.net>

Hi Niels,

Niels Thykier wrote:
> Jonathan Nieder:

>> With severity=high, a security fix then takes two more days before it
>> hits testing.  Is there a way to expedite it?  My experience with
>> https://bugs.debian.org/871823 was "no".
[...]
> The 2 days are measured from the first time the package has been made
> available by dak.  And then there are some corner cases in how we handle
> "aging" that may slightly complicates how "2 days" are defined here.
>
> It is *technically possible* to expedite an upload to migrate faster
> than "2 days" (including omitting the delay entirely).  However, at the
> moment a signifiant part of our QA relies on the delay to catch
> (obvious) mistakes.  As such, we generally reserve such exemptions to
> the aging for "very urgent" issues[1].

Thanks.  That helps.

Git appears to have been blocked today by
https://alioth-lists.debian.net/pipermail/piuparts-devel/2018-May/007797.html.
Would an "urgent" hint have prevented that?

I would like to see the update in unstable to protect users.  For
example, see [2].  I don't think most users of testing realize that
they also need to include stable-backports in sources.list to get
security fixes.  That said, by the time you read this message it's
likely that it will have auto-migrated. :)

>   I am hoping we will eventually get to a point where the automated QA
> tests provided to the testing migration decision can replace the
> arbitrary delay we currently use to enable manual testing.  Though I
> doubt we are ready to do that any time soon.

For next time, if I have done sufficient testing (manual piuparts run,
having internal users use it in daily life, etc) privately during the
embargo period, should I file a bug against the release.debian.org to
make an "urgent" hint when the embargo expires?

Thanks,
Jonathan

> [1] Deployed as an "urgent"-hint in britney:
>
> https://release.debian.org/doc/britney/hints.html#urgent-action-list
[2] https://blog.npmjs.org/post/174411769410/how-npm-is-affected-by-the-recently-disclosed-git.

Reply to:

Follow-Ups:
- Re: Workflow for handling security issues in testing
  - From: Adrian Bunk <bunk@debian.org>
- Re: Workflow for handling security issues in testing
  - From: Niels Thykier <niels@thykier.net>

Next by Date: Re: Workflow for handling security issues in testing
Next by thread: Re: Workflow for handling security issues in testing
Index(es):
- Date
- Thread