Re: testing security uploads to bookworm-security
- To: Paul Gevers <elbrus@debian.org>, debian-release <debian-release@lists.debian.org>
- Cc: Ansgar <ansgar@debian.org>, Debian FTP Master <ftpmaster@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>, debian-wb-team@lists.debian.org, wb-team@buildd.debian.org, Steve McIntyre <93sam@debian.org>
- Subject: Re: testing security uploads to bookworm-security
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 10 Mar 2023 23:11:44 +0100
- Message-id: <ZAurIADytpSu/p+A@eldamar.lan>
- Mail-followup-to: Paul Gevers <elbrus@debian.org>, debian-release <debian-release@lists.debian.org>, Ansgar <ansgar@debian.org>, Debian FTP Master <ftpmaster@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>, debian-wb-team@lists.debian.org, wb-team@buildd.debian.org, Steve McIntyre <93sam@debian.org>
- In-reply-to: <[🔎] ZAth3PXggrA9DNl2@aurel32.net>
- References: <dc5a483e-13dd-86da-e2cd-85fa0b310ef4@debian.org> <20230306213707.GA3909@inutil.org> <ZAcI0sCM8ZPd7Ra3@eldamar.lan> <ZAcM8Horodg+MC23@eldamar.lan> <ZAcqnEExO/msIc2C@eldamar.lan> <871qlywzhm.fsf@43-1.org> <[🔎] ZAm2gpRstNZP5Frq@eldamar.lan> <[🔎] ZAtS9DMozIptjNLN@eldamar.lan> <[🔎] ZAth3PXggrA9DNl2@aurel32.net>
Hi Aurelien,
On Fri, Mar 10, 2023 at 05:59:08PM +0100, Aurelien Jarno wrote:
> Hi,
>
> On 2023-03-10 16:55, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Thu, Mar 09, 2023 at 11:35:46AM +0100, Salvatore Bonaccorso wrote:
> > > Hi Ansgar,
> > >
> > > [Adding debian-wb-team@lists.debian.org list]
> > >
> > > On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:
> > > > Hi,
> > > >
> > > > Salvatore Bonaccorso writes:
> > > > > python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
> > > > > as source only upload, the upload got rejected with:
> > > > >
> > > > > | Source-only uploads to NEW are not allowed.
> > > >
> > > > There were two issues:
> > > >
> > > > - The override sync from ftp-master to security-master was not handling
> > > > the fancy new `-security` addition to suite names.
> > > >
> > > > - `bookworm-security` was still configured to not accept any uploads
> > > > (as was done when the suite was created to prevent accidental
> > > > uploads).
> > > >
> > > > Both issues are now solved and the python-cryptography source upload was
> > > > processed successfully.
> > >
> > > Thank you for addressing both. I can confirm we have now partially
> > > builds on the embargoed queue.
> >
> > FTR, Steve as well uploaded src:shim to test the code signing
> > involving path, and looks fine AFAICS. To Steve's request we will
> > though not install those packages, so reject them from the embargoed
> > queues.
> >
> > > From what I see there are the mipsel and mips64el builds missing and
> > > according to a quick chat with Adam on IRC it is not that they are yet
> > > just missing because of buildd overloaded. Actually bookworm-security
> > > seems not yet configured to be handled by mipsel and mips64el buildds.
> > >
> > > Wanna-build team, can you have a look and check the mipsel, mips64el
> > > status (and actually if we are setup complete as well on buildd setup
> > > for bookworm-security)?
>
> Sorry to not have looked that earlier. Indeed none of the mips*el
> buildds were configured to build bookworm-security. I have enabled it on
> two buildds for now, but this has to be done for all buildds. We also
> need to check that it is the case for the other architectures. I have no
> time now, I'll keep you updated once done, but in the meantime you
> should be able to do tests with more packages.
>
> > This one would still need to be checked, looping in as well Debian
> > Build Daemon team alias. Buildd admins, chan you have a look? I still
> > would like to install for real python-crytpography, though we have
> > missed the window to do it earlier than the -3 upload migrated to
> > testing. It still should work I think. Otherwise we will do then
> > another test with another package.
>
> python-cryptography has now been uploaded on both mipsel and mips64el.
Thanks, confirmed the two bulds arrived as well.
Paul and release team, here is a summary: so I think we can confirm
that the bookworm-security side of things works now (modulo the above
checking by Aurelien). We did:
Test python-cryptography upload as rebuild of the one uploaded to
unstable, as it was near to the migration time and to be superseeded
anyway. This happened before we were able to install. But the on all
release archictecures we had builds triggered (after Ansgar as well
did adjust security-master side of things). After the packages got
sucessfully built we did install it into the security archive. it is
available there. The package got rejected to be accepted in
testing-proposed-updates in the following due to the 38.0.4-3 already
been migrated to testing.
Steve uploaded src:shim samewise to bookworm-security, involving the
code-singing part. This went fine as well, we rejected the packages
from the embargoed queues afterwards.
A third test was done with libtmps which had a security fix in
unstable, but not yet migrated to testing. 0.9.2-3.1~deb12u1 got built
every where and installing it in the security-archive was sucessful.
The following step to sync int to testing-proposed-updates worked as
well, it is now there:
libtpms | 0.9.2-3~bpo11+1 | bullseye-backports | source
libtpms | 0.9.2-3~bpo11+1 | bullseye-backports-debug | source
libtpms | 0.9.2-3 | testing | source
libtpms | 0.9.2-3.1~deb12u1 | buildd-testing-proposed-updates | source
libtpms | 0.9.2-3.1~deb12u1 | testing-proposed-updates | source
libtpms | 0.9.2-3.1~deb12u1 | testing-proposed-updates-debug | source
libtpms | 0.9.2-3.1 | unstable | source
libtpms | 0.9.2-3.1 | unstable-debug | source
Regards,
Salvatore
Reply to: