Here is my transparent report for my work on the Debian Long Term Support (LTS) <https://wiki.debian.org/LTS> and Debian Extended Long Term Support (ELTS) <https://wiki.debian.org/LTS/Extended%20project>, which extend the security support for past Debian releases, as a paid contributor.
In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done). We had a /Birds of a Feather/ videoconf <https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/72-debian-lts-bof.webm> session <https://debconf20.debconf.org/talks/72-debian-lts-bof/> at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey. There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures. Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL. As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates. /ELTS - Jessie/ * Fresh build VMs * rails/redmine: investigate issue <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964432>, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; follow-up <https://lists.debian.org/debian-lts/2020/08/msg00053.html> when it's supported again * ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at MITRE <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16299>) * ghostscript: fix 25 CVEs, security upload ELA-262-1 <https://deb.freexian.com/extended-lts/updates/ela-262-1-ghostscript/> * ghostscript: cross-check against the later DSA-4748-1 (almost identical) * software-properties: jessie triage: mark back for update, at least for consistency with Debian Stretch and Ubuntu (all suites) * software-properties: security upload ELA-266-1 <https://deb.freexian.com/extended-lts/updates/ela-266-1-software-properties/> * qemu: global triage: update status and patch/regression/reproducer links for 6 pending CVEs * qemu: jessie triage: fix 4 'unknown' lines for qemu following changes in package attribution for XSA-297, work continue in September /LTS - Stretch/ * sane-backends: global triage: sort and link patches for 7 CVEs * sane-backends: fix dep-8 test and notify <https://bugs.debian.org/968369> the maintainer, * sane-backends: security upload DLA-2332-1 <https://lists.debian.org/debian-lts-announce/2020/08/msg00029.html> * ghostscript: security upload DLA 2335-1 <https://lists.debian.org/debian-lts-announce/2020/08/msg00032.html> (cf. common ELTS work) * ghostscript: rebuild ("give back") on armhf, blame armhf, get told <https://lists.debian.org/debian-lts/2020/08/msg00040.html> it was a concurrency / build system issue -_-' * software-properties: security upload DLA 2339-1 <https://lists.debian.org/debian-lts-announce/2020/08/msg00035.html> (cf. common ELTS work) * wordpress: global triage: reference regression for CVE-2020-4050 * wordpress: stretch triage: update past CVE status, work continues in September with probably an upstream upgrade 4.7.5 -> 4.7.18 * nginx: cross-check my July update against the later DSA-4750-1 (same fix) * DebConf BoF + IRC follow-up /Documentation/Scripts/ * Clarify/link salsa:lts-team/lts-extra-tasks <https://salsa.debian.org/lts-team/lts-extra-tasks> against salsa:freexian-team/project-funding <https://salsa.debian.org/freexian-team/project-funding> (description) * Historical analysis of our CVE fixes: check feasibility * webwml:find-missing-advisories <https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/find-missing-advisories>: handle missing trailing slash, print DSA/DLA date, print affected package rather than committer * discussion <https://lists.debian.org/debian-lts/2020/08/msg00031.html> on public naming (shaming?) * LTS/TestsSuites/sane-backends <https://wiki.debian.org/LTS/TestSuites/sane-backends>: test with more complex DEP-8/autopkgtest setup -- https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_August_2020/
