[cut-team] Some experience with security support for testing
sf at debian.org
Sun Aug 29 11:31:27 UTC 2010
I have read about CUT in the DPL bits. I don't have enough time to
join the effort or even read the whole list archive. But I was
involved in testing-security and maybe I can give you an idea how much
work it was.
IMHO, testing-security worked extremely well during the lenny release
cycle, i.e. from about May 2007 to lenny's release in February 2009.
That's about 21 months. In this time there were 163 direct uploads to
testing-security  and more than 139 NMUs to unstable . All in
all, that's about one security upload every two days.
If you have snapshots with security support, you would even need more
updates because you cannot profit from fixes uploaded by the package
maintainers. For comparison, etch had around 430 DSAs in the same
Most of the work was done by two people, Nico Golde and Steffen
Joeris. In the beginning, I did quite some work, too. But the amount
of work is too large for two or three people. Also, there is the
problem of motivation: The updates to testing-security usually stay
useful only for a few weeks, until a fixed version migrates from
unstable. In stable, the updates stay around for a few years, which
gives a higher motivation to spend time on preparing them.
Somewhere during Lenny's release cycle, all members of the testing
security team became also members of the stable security team. After
Lenny's release, there was more motivation to work on stable security,
and there were not many uploads to testing-security anymore. As you
may have noticed, there is more than enough work for stable.
I don't know what your current plans are, but having more than one
snapshot of testing with security support at the same time is
completely unrealistic. Apart from that, it always depends on what
level of security support you want to provide. If you want to have a
snapshot with security support, you should definitely be prepared to
pull selected fixed directly from unstable, in case the non-security
changes are relatively small and the dependencies have not changed.
This will save quite a bit of work.
There is also the testing-security-announce list , which
(automatically) announces security fixes entering from unstable or via
testing-security, in case you wonder how often that happens.
I hope that this has been at least somewhat interesting. I am not
subscribed to the list, please CC me if you have any questions.
PS: I have also CCed Nico and Steffen in case they want to comment.
Please drop them from CC if you reply.
 http://svn.debian.org/wsvn/secure-testing/data/NMU/list (I don't
think this list is kept up-to-date anymore)
More information about the cut-team