On Thu, May 08, 2025 at 02:09:18PM -0300, Santiago Ruano Rincón wrote: > El 08/05/25 a las 18:45, Adrian Bunk escribió: > > On Wed, May 07, 2025 at 01:26:32PM -0300, Santiago Ruano Rincón wrote: > > Hi Adrian
Hi Santiago, > > > Currently, debusine.d.n helps to verify how a packages builds on > > > different architectures, to run autopkgest (contrary to Salsa CI, > > > debusine also includes autopkgtest for reverse dependencies), piuparts > > > and lintian. You can read more about debusine and setup instructions > > > at: > > > https://wiki.debian.org/DebusineDebianNet > > > > > > After you have initially uploaded the packages to debusine (this can be > > > done easily via dput(-ng)), once everything is OK and have the ACK from > > > the security team, you can complete the upload providing debusine with a > > > signed package. (Instructions for this last step will be found in the > > > workflow created by the upload.) > > >... > > > > I have a general question about that: > > > > A common situation[1] is that I don't know when preparing the package > > whether it will be for pu or DSA. > > > > The status quo is that I finish the package and send the debdiff for > > review, and upload the package based on the reply from the security > > team. > > That is a question for the relevant teams, I guess. My simple answer is: > if the package is listed in dsa-needed, then you should coordinate with > the sec team and prepare it for bookworm-security. If all the CVEs you > are fixing are no-dsa, then it's mostly on the release team + > maintainers, and prepare a pu. > > There are cases where a pu is being prepared while the package is also > in dsa-needed. So simple coordination with all the related parties makes > sense to me. > > Does the above help to answer your question? >... unfortunately not, you missed the common case I encountered 5 times last month: The package does have CVEs that are not no-dsa, but it is not listed in dsa-needed. That's common when the security team has not yet triaged all new CVEs in the package for dsa/no-dsa. Running autopkgtests in stable days or weeks after I had wrapped up working on the package and published the DLA, and after the security team has checked the debdiff, that's the wrong order. > Cheers, > > -- Santiago cu Adrian
