Track security updates during the Tails code freeze
- packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
- packages we override with our custom APT repo, see e.g. #14729 for one instance of this problem
A short-term, trivial fix would be to:
- add another instance of "Coordinate with Debian security updates" (that we already have in the Pre-freeze section of our release process) later in our release process
- generalize a bit https://tails.boum.org/contribute/release_process/Debian_security_updates/ to make it cover the two cases this ticket is about
Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that's unfrozen).
Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.
#12 Updated by intrigeri about 1 month ago
- Assignee changed from intrigeri to anonym
I'm tentatively reassigning this to FT so you can decide what to do with this ticket.
I'd rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.