Web lists-archives.com

Re: Auto-update for sid? Auto-backport?




Andreas Tille <andreas@xxxxxxxx> writes:

> I think Steffen's point was that all the hideousness you are talking
> about was solved in version a.b.c of the software and if version
> a.b.(c+1) builds and passes our test suite it will most probably not
> have changed.

Oh, yeah, to be clear, I don't have any objections to that part.  Just to
the idea that upstream in general can just maintain the Debian packaging,
or that we want to move in that direction.  A good Debian package
maintainer should still keep an eye on it and update the packaging for
Debian best practices.  But that can be on an independent cadence from the
upstream releases.

We do lose some manual review, but I also question how much we're doing
manual review now.

I would only want to do this with packages that have upstream signatures,
though.  We get some amount of timing-based security from Debian
maintainers downloading the packages whenever they get around to it, since
it's then not predictable when the upstream package will be downloaded and
only persistent compromises of upstream's distribution mechanism are
likely to be effective.  If we're automatically pulling new releases, that
can be more predictable and can open us up to ingesting and building
transient compromised packages.

-- 
Russ Allbery (rra@xxxxxxxxxx)               <http://www.eyrie.org/~eagle/>