On 2018-06-06 11:05:28, Antoine Beaupré wrote:
> Here is the current output:
After staring at that thing and trying to deal with a few of those, I am
a little unsure how to actually coordinate this work for now. All this
will be resolved within a week or two when jessie transitions over to
the LTS team. But in the meantime, it would be nice to move ahead with
the package updates anyways.
I've looked at the following:
* cups (3 CVEs): not in dsa-needed.txt, parts no-dsa planned for next point
release, to coordinate with the release team
* graphicsmagick (~50+ CVEs): apo will handle this with his LTS hat on
if it can't be done before the transition
* mercurial (3 CVEs): unclaimed, in dsa-needed.txt, package update
proposed by email, secteam might perform the update
* php5 (4 CVEs): that will be updated, by the maintainer, to upstream
5.6.36
There's an overlap between dsa-needed.txt (which covers jessie and
stretch) and dla-needed.txt (which covers wheezy and jessie). From my
conversations with the secteam, it seems we shouldn't edit
dsa-needed.txt to claim or add packages. We're allowed to add notes on
existing entries and we should check if packages are already assigned
before working on them as well.
I would suggested using dla-needed.txt to coordinate work on jessie
now. The ELTS folks are already handling wheezy now, so the entries in
dla-needed are probably not relevant to wheezy anymore. That way we'd
have a space to coordinate the forward-port work that's needed for now,
even though it still means coordinating with the secteam and SRM.
Speaking of which, my understanding of the process is that some pakcages
might go through the last stable release update (if e.g. marked no-dsa)
or go through a regular security upload by the secteam. In any case, it
needs external coordination until jessie is handed over.
I hope that the above is accurate and helps people clarify various
things. If people are comfortable with the idea, I would clear out the
dla-needed.txt file and document the above (four) packages there. From
there, regular frontdesk triage would apply as well of course and could
turn the previous email's list of 'needs-forward-port' into a regular
dla-needed task list.
Cheers,
A.
--
The illusion of freedom will continue as long as it's profitable to
continue the illusion. At the point where the illusion becomes too
expensive to maintain, they will just take down the scenery, they will
pull back the curtains, they will move the tables and chairs out of
the way and you will see the brick wall at the back of the theater.
- Frank Zappa
