Signing the builds for binary:any updates

In contrast to development in unstable, builds for arch:any packages need to be signed by the Security Team. Once they are signed, the compiled packages are uploaded to klecker.

Failed builds can be retried by replying to the buildd mail with a message containing a single line of retry or give-back.

Build mails can be signed with the dpkg-approve-buildd. There's also a config snippet for mutt. You can also manually extract the .changes file from the middle of the buildd log and sign it manually using debsign. After that, send it in reply to the message containing the buildd log. The buildd will eventually upload the package to /org/security.debian.org/queue/embargoed on klecker.

Using dpkg-approve-buildd

Adjust http://cvs.infodrom.org/tools/debian/dpkg-approve-buildd?cvsroot=infodrom for your name/email/paths/etc.

Save the buildd success logs to a directory, one per file.

Run dpkg-approve-buildd, passing it the filename to each log mail.

Using mutt and grab-changes.py

Fetch http://devin.com/debian/grab-changes.py ; put it in your $PATH.

Adjust this line for your .muttrc:

send-hook '~t buildd@ ~s success' "set pgp_autosign=yes indent_string='' edit_headers=yes editor='grab-changes.py' fast_reply=yes pgp_create_traditional=yes include=yes pgp_sign_as=username@debian.org"

You'll probably also want something like this to put things back afterward:

send-hook . "set editor='vi' fast_reply=no indent_string='> '"

Writing the advisory text

Write an advisory. Examples can be found on klecker in /org/security.debian.org/advisories/DSA. Note that the template advisory generated by dak new-security-install is broken in various regards; it's better to work from an existing advisory.

Once all builds are available and the advisory text is ready, send a mail to team@security.debian.org. The update will be reviewed and released as described in the following section.