Signing the builds for binary:any updates

In contrast to development in unstable, builds for arch:any packages need to be signed by the Security Team. Once they are signed, the compiled packages are uploaded to klecker.

Failed builds can be retried by replying to the buildd mail with a message containing a single line of retry or give-back.

Build mails can be signed with the dpkg-approve-buildd. There's also a config snippet for mutt. You can also manually extract the .changes file from the middle of the buildd log and sign it manually using debsign. After that, send it in reply to the message containing the buildd log. The buildd will eventually upload the package to /org/ on klecker.

TODO: need a publicly available copy of dpkg-approve-buildd

Writing the advisory text

Write an advisory. Examples can be found on klecker in /org/ Note that the template advisory generated by dak new-security-install is broken in various regards; it's better to work from an existing advisory.

Once all builds are available and the advisory text is ready, send a mail to The update will be reviewed and released as described in the following section.