Signing the builds for binary:any updates
In contrast to development in unstable, builds for arch:any packages need to be signed by the Security Team. Once they are signed, the compiled packages are uploaded to klecker.
Failed builds can be retried by replying to the buildd mail with a message containing a single line of retry or give-back.
Build mails can be signed with the dpkg-approve-buildd. There's also a config snippet for mutt. You can also manually extract the .changes file from the middle of the buildd log and sign it manually using debsign. After that, send it in reply to the message containing the buildd log. The buildd will eventually upload the package to /org/security.debian.org/queue/embargoed on klecker.
TODO: need a publicly available copy of dpkg-approve-buildd
Writing the advisory text
Write an advisory. Examples can be found on klecker in /org/security.debian.org/advisories/DSA. Note that the template advisory generated by dak new-security-install is broken in various regards; it's better to work from an existing advisory.
Once all builds are available and the advisory text is ready, send a mail to email@example.com. The update will be reviewed and released as described in the following section.