[cut-team] Some experience with security support for testing

[Stefan Fritsch]

Hi,

I have read about CUT in the DPL bits. I don't have enough time to 
join the effort or even read the whole list archive. But I was 
involved in testing-security and maybe I can give you an idea how much 
work it was.

IMHO, testing-security worked extremely well during the lenny release 
cycle, i.e. from about May 2007 to lenny's release in February 2009.
That's about 21 months. In this time there were 163 direct uploads to 
testing-security [1] and more than 139 NMUs to unstable [2]. All in 
all, that's about one security upload every two days.

If you have snapshots with security support, you would even need more 
updates because you cannot profit from fixes uploaded by the package 
maintainers. For comparison, etch had around 430 DSAs in the same 
time.

Most of the work was done by two people, Nico Golde and Steffen 
Joeris. In the beginning, I did quite some work, too. But the amount 
of work is too large for two or three people. Also, there is the 
problem of motivation: The updates to testing-security usually stay 
useful only for a few weeks, until a fixed version migrates from 
unstable. In stable, the updates stay around for a few years, which 
gives a higher motivation to spend time on preparing them.

Somewhere during Lenny's release cycle, all members of the testing 
security team became also members of the stable security team. After 
Lenny's release, there was more motivation to work on stable security, 
and there were not many uploads to testing-security anymore. As you 
may have noticed, there is more than enough work for stable.

I don't know what your current plans are, but having more than one 
snapshot of testing with security support at the same time is 
completely unrealistic. Apart from that, it always depends on what 
level of security support you want to provide. If you want to have a 
snapshot with security support, you should definitely be prepared to 
pull selected fixed directly from unstable, in case the non-security 
changes are relatively small and the dependencies have not changed. 
This will save quite a bit of work.

There is also the testing-security-announce list [3], which 
(automatically) announces security fixes entering from unstable or via 
testing-security, in case you wonder how often that happens.


I hope that this has been at least somewhat interesting. I am not 
subscribed to the list, please CC me if you have any questions.

Cheers,
Stefan

PS: I have also CCed Nico and Steffen in case they want to comment. 
Please drop them from CC if you reply. 


[1] http://svn.debian.org/wsvn/secure-testing/data/DTSA/list
[2] http://svn.debian.org/wsvn/secure-testing/data/NMU/list (I don't 
think this list is kept up-to-date anymore)
[3] http://lists.debian.org/debian-testing-security-announce/