Check if we can mark a package as security during release
Activity
Debian does this by having a separate security.debian.org repository that only serves security packages.
We could push to both regular and separate security repository which would then allow users to update only on security releases.
The problem is that we then need to separately upload to another repository and we also need to make sure that upgrades between those packages do not error out. This then goes against the way we are shipping where we are expecting users to upgrade often so they get all the updates(not just security).
I've contacted packagecloud support to see if I can get some advice on how to approach this and after that I will decide if it is worth investing more time.
Reassigned to @marin
Milestone changed to 8.5
cc @tmaczukin
Setting up a separate security repository makes sense for Debian, not that much for omnibus which is a collection of packages. With omnibus-gitlab, every time we update a component that was vulnerable we would have to update the security repo. Since that might happen more often than one would expect, I don't think it is worth investing more time into setting this up.
We encourage users to update often to get all the improvements.
Closing this as no-op.
