Hi Emilio Sorry for this. I used the lts-cve-triage.py script and noticed a ton of things to do.
I checked this page https://wiki.debian.org/LTS. And it says "July, 2022 to June, 2024", so this was why I drew the conclusion that we had already taken over the security support for buster. Reading more in the email chains I realize I was wrong in that conclusion. I guess this page was updated a little too early, or at least not with enough precision. Do we have a date for buster takeover? I found a discussion in my email log from a few days ago and it mentions that buster will have a point release in August. // Ola On Tue, 12 Jul 2022 at 00:31, Emilio Pozuelo Monfort <po...@debian.org> wrote: > > Hi Ola, > > On 11/07/2022 23:24, Ola Lundqvist (@opal) wrote: > > > > > > Ola Lundqvist pushed to branch master at Debian Security Tracker / > > security-tracker > > > > > > Commits: > > 55001d9c by Ola Lundqvist at 2022-07-11T23:23:41+02:00 > > Wrote a script to bulk add EOL entries for LTS buster. > > > > - - - - - > > b4c0adda by Ola Lundqvist at 2022-07-11T23:23:43+02:00 > > Bulk added EOL entries for ckeditor3 for LTS buster. > > > > - - - - - > > 141f38d2 by Ola Lundqvist at 2022-07-11T23:23:44+02:00 > > Bulk added almost 70 EOL entries for gpac in LTS buster. > > > > - - - - - > > a577308d by Ola Lundqvist at 2022-07-11T23:23:45+02:00 > > Bulk added EOL for 3 CVEs for libspring-java in buster LTS. > > > > - - - - - > > d3c2727d by Ola Lundqvist at 2022-07-11T23:23:46+02:00 > > Bulk added EOL for 2 CVEs for node-tar in buster LTS. > > > > - - - - - > > 58366339 by Ola Lundqvist at 2022-07-11T23:23:48+02:00 > > Bulk added EOL for 2 CVEs for node-url-parse in buster LTS. > > > > - - - - - > > 021ec750 by Ola Lundqvist at 2022-07-11T23:23:48+02:00 > > One correction to the eol bulk add script. Also simplified the output to > > make it less verbose. > > > > - - - - - > > 22d9f630 by Ola Lundqvist at 2022-07-11T23:23:49+02:00 > > Bulk added EOL for 12 CVEs for nodejs in buster LTS. > > buster is not LTS yet, so all of that triaging seems wrong to me, unless you > have cleared that with the security team. If you have not, please revert it as > those packages are still supported in buster. > > Also, I don't know what you based all of those EOL entries on, but I don't see > those packages being EOL in buster. Please start a discussion on the LTS list > before doing that. If there's one and I missed it, please point me to it. > > Cheers, > Emilio -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org o...@inguza.com \ | http://inguza.com/ +46 (0)70-332 1551 | ---------------------------------------------------------------
