When dealing with CS-2023-4911 (glibc local privilege escalation), which was an embargoed update for RHEL and is still not pushed to CS at the time of writing, it occurred to me that it's hard to figure out the relationship between the tags on kojihub.stream.centos.org, where the packages can be downloaded from, and what sort of testing has been done.

Motivation: get access to signed packages that have undergone a reasonable amount of testing, so they can be evaluated for deployment in case of critical security updates, without waiting for the compose to hit mirrors

Some questions:

• what does the workflow look like, at a high level?
• what's the transition between c9s-pending and c9s-pending-signed?
• what sort of tests get run before a package hits c9s-pending-signed?
• once a package gets tagged, how often do composes happen?
• what sort of tests are run on a compose before the compose is ready to be pushed out? – bookwar said https://github.com/CentOS/sig-core-t_functional
• do releases get pushed out automatically, periodically, or ad hoc?
• can we expedite getting composes out if they contain critical security fixes?