Release process: automate "Coordinate with Debian security updates"
Manually scanning this is error-prone, for instance, I think I screwed up when preparing Tails 6.2 (#20350 (closed)). So IMHO we should automate this.
Implementation-wise it could work by cloning (probably a shallow clone since this repo is intense) of https://salsa.debian.org/security-tracker-team/security-tracker/ and parsing recent data/DSA/list
, data/dsa-needed.txt
, etc and comparing against a recent .build-manifest
from a suitable branch.
Bonus: this could then be used to continuously (e.g. daily) monitor for security issues and notify tails-rm@ when one is found in the current release.