Jonathan Nieder: > Hi Niels, > > Niels Thykier wrote: >> Jonathan Nieder: > >>> With severity=high, a security fix then takes two more days before it >>> hits testing. Is there a way to expedite it? My experience with >>> https://bugs.debian.org/871823 was "no". > [...] >> The 2 days are measured from the first time the package has been made >> available by dak. And then there are some corner cases in how we handle >> "aging" that may slightly complicates how "2 days" are defined here. >> >> It is *technically possible* to expedite an upload to migrate faster >> than "2 days" (including omitting the delay entirely). However, at the >> moment a signifiant part of our QA relies on the delay to catch >> (obvious) mistakes. As such, we generally reserve such exemptions to >> the aging for "very urgent" issues[1]. > > Thanks. That helps. > > Git appears to have been blocked today by > https://alioth-lists.debian.net/pipermail/piuparts-devel/2018-May/007797.html. > Would an "urgent" hint have prevented that? >
No. A "ignore-piuparts" hint could have done it (but we would probably have preferred waiting for the retest, which you requested). > [...]>> I am hoping we will eventually get to a point where the automated QA >> tests provided to the testing migration decision can replace the >> arbitrary delay we currently use to enable manual testing. Though I >> doubt we are ready to do that any time soon. > > For next time, if I have done sufficient testing (manual piuparts run, > having internal users use it in daily life, etc) privately during the > embargo period, should I file a bug against the release.debian.org to > make an "urgent" hint when the embargo expires? > > Thanks, > Jonathan > > [...] Historically, we tend to prefer "age-days 2" over "urgent" to ensure some basic level of testing; I suspect that is what you would end up getting in the general case if you requested an "urgent"-hint. Changing this will require a lot more maturity in our autopkgtests infrastructure: primarily a majority of all packages having useful autopkgtests and autopkgtests regressions being a testing blocker. At that point we will probably start to become more likely to waive the aging requirement for packages with fixes for security issues. But even then that does not imply that there will be a general carte blanch exemption on the QA tests for these packages (i.e. I expect that autopkgtests, piuparts, etc. should still pass). But on a related note: I have considered Philipp's idea of importing data from the security-tracker and I think that is a good idea. For now, we could use it to automatically bump the urgency and as the QA matures, we could eventually use it to waive the age requirement entirely for packages with sufficient levels of automated QA (that passes). Thanks, ~Niels
