stef-guest at alioth.debian.org
2007-May-23 21:07 UTC
[Secure-testing-commits] r5907 - doc
Author: stef-guest Date: 2007-05-23 21:07:52 +0000 (Wed, 23 May 2007) New Revision: 5907 Added: doc/how-to-DTSA Log: DTSA walkthrough *** contains SPOILERS ;-) *** Added: doc/how-to-DTSA ==================================================================--- doc/how-to-DTSA (rev 0) +++ doc/how-to-DTSA 2007-05-23 21:07:52 UTC (rev 5907) @@ -0,0 +1,118 @@ +20:40 < micah> its good you are going through this, so we can note these + various undocumented things that are necessary +20:44 < micah> sf: its like a quest +20:45 < sf> the secure-testing adventure + + +Upload +=====+ +The upload can be done by any DD and is described in +.../website/index.html. + +It is a good idea to check in the buildlog that all new patches +actually get applied. Maybe you forgot to put them in patches/series +or because of some bug dpatch ignored a patch. + +Use debdiff, interdiff etc. + +The distribution needs to be "testing-security". + +dcut does not seem to work on security-master.debian.org, but someone +in the sec_public group (micah, neilm, sf, jmm) can remove broken +files from the upload queue when needed. + + + +Requirements +===========+ +Only DDs in the sec_public (and possibly the security?) group can +accept the uploads (or even login on klecker). They also need to be +member of the alias that gets the unembargoed build logs. See #88 on +rt.d.o. + + + +Autobuilds +=========+ +There seems to be a bug in dak: If the orig.tar.gz is already in +stable-security, the orig.tar.gz is not symlinked into the +buildd/lenny directory and the buildds cannot download the source. +Workaround: Ask aj to create the symlink manually + +When you have the buildlogs and the builds look ok, you have to sign +the changes file embedded in the buildlog and send it to the buildd +[1]. If you use your own script to do that: the Subject needs to be +exactly as in the buildlog mail, but with a "Re: " prepended. + +A summary which buildlogs have arrived for which packages is at [2]. + +Some time after the buildd has received the signed .changes, it will +upload the packages to klecker to +/org/security.debian.org/queue/unembargoed/. "dak queue-report" gives +an overview, what packges have arrived in the queue. + +If a buildd has problems: A list with the admins is at [3]. + +[1] http://wiki.debian.org/Buildd/BuildLogs +[2] http://www.sfritsch.de/~stf/secure-testing-buildlogs.html +[3] klecker:/org/security.debian.org/doc/buildd-admins.txt + + + +Releasing the packages +=====================+ +When all packages have arrived (or you want to release a subset +because some buildds are broken), go to +klecker:/org/security.debian.org/queue/unembargoed/ + +You can compare against a package in stable/updates with +LANG=en_GB ~joey/bin/diffpackages -d stable clamav + +Otherwise do some debdiffing to ensure that the filelists and +dependencies look correct. + +You can install the packages in the security archive with something +like: + +dak new-security-install DTSA-36-1 mydns_1.1.0-7.1lenny1_*.changes + +DTSA-36-1 is an identifier that should be the name of the new DTSA. +However, every identifier can be used only once with dak. So if you +need a second run, use DTSA-36-1a or DTSA-36-2. + +"dak new-security-install" gives you an advisory template. This is not +used for DTSAs. Ignore it. + +After the dak run, the new packages appear on security.debian.org and +the mirrors are notified. You should get a mail that the packages are +installed in testing-proposed-updates. + + + +Announcing +=========+ +If there has been a new stable release since the last DTSA, change the +code names in all the scripts and templates ;-) + +How to create the announcement and how to update the tracker is also +described in .../website/index.html + +After you sent the announcement to the announce list, you need to +accept the mail on the moderator''s page [4]. The sec_public people +should have the password. + +Currently sf and luk (and possibly joeyh) can put the new announcements +on the website (it''s on alius.turmzimmer.net). These two should not +forget to "chmod g+w" and "chgrp sectadm" the files. + +[4] http://lists.alioth.debian.org/mailman/admindb/secure-testing-announce + + + +22:37 < micah> sf: you got the key! now to rescue the princess +