[Secure-testing-commits] r5907 - doc

stef-guest at alioth.debian.org stef-guest at alioth.debian.org
Wed May 23 21:07:52 UTC 2007 

Author: stef-guest
Date: 2007-05-23 21:07:52 +0000 (Wed, 23 May 2007)
New Revision: 5907

Added:
   doc/how-to-DTSA
Log:
DTSA walkthrough
*** contains SPOILERS ;-) ***


Added: doc/how-to-DTSA
===================================================================
--- doc/how-to-DTSA	                        (rev 0)
+++ doc/how-to-DTSA	2007-05-23 21:07:52 UTC (rev 5907)
@@ -0,0 +1,118 @@
+20:40 < micah> its good you are going through this, so we can note these 
+               various undocumented things that are necessary
+20:44 < micah> sf: its like a quest
+20:45 < sf> the secure-testing adventure
+
+
+Upload
+======
+
+The upload can be done by any DD and is described in
+.../website/index.html.
+
+It is a good idea to check in the buildlog that all new patches
+actually get applied. Maybe you forgot to put them in patches/series
+or because of some bug dpatch ignored a patch.
+
+Use debdiff, interdiff etc.
+
+The distribution needs to be "testing-security".
+
+dcut does not seem to work on security-master.debian.org, but someone
+in the sec_public group (micah, neilm, sf, jmm) can remove broken
+files from the upload queue when needed.
+
+
+
+Requirements
+============
+
+Only DDs in the sec_public (and possibly the security?) group can
+accept the uploads (or even login on klecker). They also need to be
+member of the alias that gets the unembargoed build logs. See #88 on
+rt.d.o.
+
+
+
+Autobuilds
+==========
+
+There seems to be a bug in dak: If the orig.tar.gz is already in
+stable-security, the orig.tar.gz is not symlinked into the
+buildd/lenny  directory and the buildds cannot download the source.
+Workaround: Ask aj to create the symlink manually
+
+When you have the buildlogs and the builds look ok, you have to sign
+the changes file embedded in the buildlog and send it to the buildd
+[1]. If you use your own script to do that: the Subject needs to be
+exactly as in the buildlog mail, but with a "Re: " prepended.
+
+A summary which buildlogs have arrived for which packages is at [2].
+
+Some time after the buildd has received the signed .changes, it will
+upload the packages to klecker to
+/org/security.debian.org/queue/unembargoed/. "dak queue-report" gives
+an overview, what packges have arrived in the queue.
+
+If a buildd has problems: A list with the admins is at [3].
+
+[1] http://wiki.debian.org/Buildd/BuildLogs
+[2] http://www.sfritsch.de/~stf/secure-testing-buildlogs.html
+[3] klecker:/org/security.debian.org/doc/buildd-admins.txt
+
+
+
+Releasing the packages
+======================
+
+When all packages have arrived (or you want to release a subset
+because some buildds are broken), go to
+klecker:/org/security.debian.org/queue/unembargoed/
+
+You can compare against a package in stable/updates with
+LANG=en_GB ~joey/bin/diffpackages -d stable clamav
+
+Otherwise do some debdiffing to ensure that the filelists and
+dependencies look correct.
+
+You can install the packages in the security archive with something
+like:
+
+dak new-security-install DTSA-36-1 mydns_1.1.0-7.1lenny1_*.changes
+
+DTSA-36-1 is an identifier that should be the name of the new DTSA.
+However, every identifier can be used only once with dak. So if you
+need a second run, use DTSA-36-1a or DTSA-36-2.
+
+"dak new-security-install" gives you an advisory template. This is not
+used for DTSAs. Ignore it.
+
+After the dak run, the new packages appear on security.debian.org and
+the mirrors are notified. You should get a mail that the packages are
+installed in testing-proposed-updates.
+
+
+
+Announcing
+==========
+
+If there has been a new stable release since the last DTSA, change the
+code names in all the scripts and templates ;-)
+
+How to create the announcement and how to update the tracker is also
+described in .../website/index.html
+
+After you sent the announcement to the announce list, you need to
+accept the mail on the moderator's page [4]. The sec_public people
+should have the password.
+
+Currently sf and luk (and possibly joeyh) can put the new announcements
+on the website (it's on alius.turmzimmer.net). These two should not
+forget to "chmod g+w" and "chgrp sectadm" the files.
+
+[4] http://lists.alioth.debian.org/mailman/admindb/secure-testing-announce
+
+
+
+22:37 < micah> sf: you got the key! now to rescue the princess
+

More information about the Secure-testing-commits mailing list