Web lists-archives.com

Re: freeze and security fixes




Hi  Jérémy,

On 28-02-2019 16:05, Jérémy Lal wrote:
> the documentations:
> https://release.debian.org/buster/freeze_policy.html
> https://www.debian.org/doc/manuals/developers-reference/ch05.html#bug-security
> 
> leave me unsettled about what to do during freeze w.r.t. security
> uploads in testing.
> (for a known and upstream-fixed CVE):
> - should i just go ahead and upload to unstable ?

You can do that, but as the first link states, you'll have to get
approval from the release team to have it migrate to testing:

"""
Note that when considering a request for an unblock, the changes between
the (proposed) new version of the package in unstable and the version
currently in testing are taken in to account. If there is already a
delta between the package in unstable and testing, the relevant changes
are all of those between testing and the new package, not just the
incremental changes from the previous unstable upload. This is also the
case for changes that were already in unstable at the time of the
freeze, but didn't migrate at that point.

We strongly prefer changes that can be done via unstable instead of
testing-proposed-updates. If there are unrelated changes in unstable,
you should consider reverting these instead of making an upload to
testing-proposed-updates.
"""

and

"""
Targeted fixes

A targeted fix is one with only the minimum necessary changes to resolve
a bug. The freeze process is designed to make as few changes as possible
to the forthcoming release. Uploading unrelated changes is likely to
result in a request for you to revert them if you want an unblock.
"""

So make sure the only change in unstable with respect to testing is the
fix for the security issue (and possible other bugs that qualify for an
unblock).

> - should i set urgency=high ?

This has no effect during the freeze period, so it doesn't matter (but
is consistent with normal behavior).

> - should i send a debdiff and wait for ack from security team first ?

Waiting for the ack from the security team is only needed for the upload
to stable. For the fix in testing you need to do the same to the release
team, except you don't have to wait for the ack to upload to unstable
(keeping in mind the above mentioned and linked requirements).

Paul

Attachment: signature.asc
Description: OpenPGP digital signature