Track security updates during the Tails code freeze
- packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
- packages we override with our custom APT repo, see e.g. #14729 for one instance of this problem
A short-term, trivial fix would be to:
- add another instance of "Coordinate with Debian security updates" (that we already have in the Pre-freeze section of our release process) later in our release process
- generalize a bit https://tails.boum.org/contribute/release_process/Debian_security_updates/ to make it cover the two cases this ticket is about
Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that's unfrozen).
Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.