►
From YouTube: Discussing security release migration Part 1
A
A
So
what
I've
been
thinking
about
is
like
defining
redefining
the
problem
again.
So
if
I
just
go
on
the
top
top
level
and
think
about
the
problem
we
are
trying
to
resolve.
This
is
not
the
migration
from
that
Gettle
of
the
torque
to
github.com
of
development
of
security
release.
It
seems
like
the
smallest
chunk.
The
actual
biggest
chunk
of
the
problem
here
is
figuring
out
how
to
ensure
that
the
auto
deploy
branches
continue
to
flow.
A
In
all
case,
is
there
even
if
we
say
alright,
let's
just
keep
the
development
of
security
fixes
on
dev,
so
not
bite
that
out,
because
that
is
hard
enough
to
migrate.
We
still
have
to
figure
out
a
way
to
continuously
deploy
and
still
have
those
fixes
exposed
publicly
when
they're,
when
it's
time
to
explore
exposing
publicly
right.
A
A
A
B
A
A
B
A
B
A
A
A
And
what
actually
is
is
a
bit
shocking
to
me.
Is
that
degrees
still
no
on
stop
the
train
situation,
so
we
have
a
bunch
of
issues
open
and
people
are
working
on
it,
but
we
still
continue
emerging
stuff
and
everything
is
broken.
I
really
really
really
want
us
to
have
blocked
merges
when
mastery
red
anyway,
we
are
not
going
to
have
that,
so
we
are
going
to
assume
that
we're
never
gonna
have
that.
A
The
main
problem
with
having
tree
branches
like
this
is
that
the
ploy
branch
can
continuously
be
read
or
I
guess
this
is
a
fault
with
our
system
of
cherry
picking
rather
than
merging,
because
we
would
now
need
to
cherry
pick
every
master
read.
That
means
we
need
to
track
that
as
well,
like
every
master
read,
merge
request
we
need
to
cherry-pick
into
our
auto
deploy
in
order
to
ensure
the
thought
of
deploy
is
green
right
if
we
were
to
merge
branches
directly
into
lasso
master
into
security
security
into
deploy.
A
A
A
B
We
just
take
the
latest
green
thing
from
that,
but
again
that
puts
us
in
situation
where
we're
deploying
something
where
we
say
the
security
fixes
the
merge
in
the
master,
so
it
should
be
deployed.
But
maybe
the
brand
isn't
green
at
that
point,
that
we
go
back
to
the
previous
green
security
master
and
a
missing
stuff
right.
A
A
Well,
if
this
is
our
only
concern
with
this
process,
I
am
ready
to
take
that
risk
and
then
fight
for
stop
the
world
button.
When
master
is
red
for
longer
than
two
hours
I'm
fine
we're
dealing
with
that,
because
then
we
we
will.
Then
we
have
a
different
problem
instead
of
a
problem
of
exposing
security
fixes
by
accident.
A
B
B
B
A
B
A
Because
I
want
to
have
a
situation
where
we
have
a
auto
deploy
branch
created
daily.
You
know
and
when
we
come
to
that
situation,
then
whether
you
have
a
deploy
branch
or
not,
doesn't
really
matter,
you're,
basically
deploying
from
master,
and
at
that
point
you
can
do
a
cut
off
cut
over
to
master
right.
A
A
A
B
B
A
A
B
A
Let's
ignore
master
and
stable
branches
for
now
completely,
but
let's
not
discuss
them.
Let's
focus
on
this
flow
here
developers
we
create
a
new
want
to
deploy
branch,
cherry
picker
picks
into
this
branch
and
this
branch
for
the
first
time.
So
when
we
create
this
branch
for
the
first
time
pool
mirror
pulls
it
and
prefixes
it
with
security,
slash
right.
B
A
B
A
B
Interesting
because
stuff
theoretically
can
go
into
master
soon
as
it's
ready,
because
we
don't
care
about
master
on
dev,
really
we're
not
building
anything
from
that.
We're
not
tagging
from
that
yep
and
then
what
we
have
is,
although
the
problem
there
is
because
that's
now
I
will
sync,
it
stops
all
mirroring
that
one
branch
well.
A
A
It's
it's
a
bit
silly
that
it
stops
the
world
I
know
why
it
does
it,
but
it
still
doesn't
mean
that
we
shouldn't
build
around
or
build
a
fix
for
it
so
say
that
we
have
this
fixed
and
that
only
diverged
branches
don't
gain.
Think
everything
else
gets
saved
right
yeah.
So
now
we
have
a
situation
where
this
branch
is
diverging
from
master
security.
It's.
A
B
A
A
A
B
A
A
A
A
A
Totally
different,
basically
right
like
this
is
no
longer
can
like
security
can,
no
longer
being,
you
can
no
longer
being
considered
as
a
head,
because
it's
not
in
fact
there
are
different
branches
in
this
case
with
some
magic.
If
we
detect
that
pull
mirroring
is
no
longer
running
on
this
branch,
we
have
system
where
merge
train.
Actually,
no,
we
don't
even
have
to
detect.
We
can
have
a
system
where
merge,
train
continuously
tries
to.
A
A
A
A
Right
now,
let's
go
through
the
rest
of
the
process.
Yeah
merge,
train,
merge,
canonical
into
security
Auto
deploy
the
push
mirror
will
now
do
what
for
built,
because
now
these
branches
well,
these
branches
have
been
merged,
which
means
that
the
security
to
build
should
still
continue
to
work.
So
the
push
here.
B
A
B
A
A
B
A
B
B
A
Yeah
right,
yeah
yeah,
there
is
no
literally
no
reason
part
from
no.
There
is
no
reason
for
us
to
do
that.
The
only
thing
that
I
could
imagine
right
now
to
be
a
problem
is
when
we
use
the
yacht
to
deploy
or
to
deploy
status
command,
that
we
ensure
that
we
actually
show
from
the
security
or
from
dev.
It
doesn't
really
matter
so
that
it's
clear
what
is
in
the
auto
deploy
branch?
That's.
B
B
We
need
to
update
the
branch
creation
for
auto,
deploy
where
it
creates
security,
/
auto,
deploy
in
security
repositories
only
instead
of
creating
auto
deploy
on
canonical
like
we
do
now.
Jessie
yeah,
because
we
don't
longer
care
about
canonical
having
an
order
to
avoid
ranch
right
stuff
is
never
merged
into
that.
B
B
A
A
A
Know
what
what
I
think
this
is
pointing
us
towards?
Let's
just
do
all
development
in
private.
It
makes
it
so
much
simpler
and.
A
B
B
A
A
It
doesn't
really
matter
it
doesn't
matter,
I,
guess
let
me
remove
it
with
the
back
PS
master.
B
B
A
A
A
Can
you
take
that
note?
Well,
I,
guess
we
have
this
recording,
so
we
can
I.
Will
anyway,
though,
which
note
the
note
is
security
master?
Is
there
only
to
ensure
that
the
master
is
green
and
that
we
have
a
place?
So
we
have
our
source
branch
to
back
port
things
from
and
then
parentheses,
stable
branch
and
not
to
deploy
branches.
A
B
A
A
A
B
A
B
A
A
B
A
A
A
A
B
A
What
I
need
to
find
out
or
what
I
need
to
know
before
I
answer
your
question:
there
is:
how
often
do
we
expect
that
would
happen,
because
if
we
are
gonna
resolve
that
problem
for
one
percent
of
the
cases
I'm
more
than
happy
to
use
the
escalation
process,
if
we
agree
to
use
it
that
we'll
use
it
for
that.
For
helping
us
resolve
this
manually
right
like
if
the
vast
majority
of
the
cases
is
going
to
be,
there
is
no
problem,
we
can
just
use
this
strategy
or
even
better.
A
A
Let's
say
we
use
your
strategy
of
we're
just
more
security,
12:3
stable
into
master
at
the
moment
of
publishing.
That
means
we
don't
have
to
have
any
separate
strategy
for
merge,
requests
that
were
merged
into
security.
We
don't
leak
out
any
unpublished,
security
fixes,
and
the
only
thing
that
is
left
to
do
here
is
ensure
that
security
12:3
stable,
is
synced
to
12:3
stable.
B
B
B
A
B
A
A
Theoretically,
what
we
could
do
is
because
we
will
have
all
the
systems
here,
meaning
we
will
have
related
issues.
We
will
have
a
related,
merge
request
and
so
on.
Theoretically,
what
we
could
do
is
at
the
moment
of
merge
into
into
master
security
master.
We
label
the
merge
request
as
unpublished,
something
like
that.
Then,
at
the
moment
of
publishing,
we
gather
all
those
merge
across
the.
A
Exactly
and
then
we
pick
them
into
master,
and
then
we
unlabeled
them
to
indicate
that
they
are
now
published.
I
like
it,
we
sink
through
the
rest
of
the
process
in
a
similar
way
to
option
1
and
like
I,
would
prefer
your
approach,
because
it's
simpler,
your
approach
is
problematic
because
it
has
a
potential
of
an
edge
case
that
will
break
stuff.
B
A
Can
be
done
automatically
right
so,
for
example,
you
use
the
merge
request,
template
with
specific
labels.
Right,
you
say
automatically
say
it's
unreleased
the
developer
reviewer
they
do
not
have
to
care,
they
just
need
to
merge
into
master
and
by
default
it's
unreleased
or
unpublished.
Sorry,
but
if
Lucy
it's
unpublished.
B
B
A
A
A
A
A
We
are
at
I'm
Robert,
so
a
couple
of
things
here
for
you
to
investigate.
Please
come
back
to
me
on
this
tomorrow.
It
would
be
not
only
a
deal
but
like
necessary
to
discuss
to
have
this
cleared
up
by
tomorrow,
because
I
want
us
to
do
another
call
tomorrow
to
just
go
through
the
same
process
one
more
time
and
when
we
feel
confident
enough
that
the
process
is
semi.
Okay,
we
can
create
issues
based
on
the
discussion
and
then
we
can
make
sure
that
those
issues
have
the
labels
ensuring
what
is
critical.