On Thu, Mar 14, 2024 at 04:47:57PM -0400, Roberto C. Sánchez wrote: > Hello everyone, > > I have discussed with Santiago the idea of whether we need to somewhat > expand the scope of dla-needed.txt. > > In essence, we need to continue tracking packages as in-work in some > cases even after a DLA is released because we might be working with > secteam, (O)SRM, and/or the maintainer on an upload to (old)stable. > I think that in the past this has been handled somewhat informally > (e.g., someone prepared a DLA and then even after the package was done > from dla-needed.txt continued working on the (old)stable updates). > However, for the sake of transparency and clarity we should be keeping > track of this in some way. >... > - FD should be confirming that package removals from dla-needed.txt are > valid (i.e., that the package does not require any work towards an > upload to (old)stable) >...
IMHO it would be a better approach if the coordinator would check this as part of the Weekly information, not different from other missing work like missing announcements or git tag. For every CVE fixed in LTS last week one of the following should be true: - package is not in stable, or - CVE is marked as fixed in stable, or - CVE is listed in data/next-point-update.txt, or - package is in data/dsa-needed.txt assigned or with an offer to help from the person who did the DLA, or - the CVE information in the security tracker gives a clear reason why no fix is required The last two checks would have to be done manually by the coordinator, but the first three could be automated. The same check can be done for oldstable, using data/next-oldstable-point-update.txt For fixes in ELTS, it could also be checked that a CVE is either fixed in LTS or the package in data/dla-needed.txt Salsa issues would then be opened for the rare cases of missing work, neither bloating dla-needed.txt nor duplicating information, and not different from a missing git tag. This would make the Weekly information even more the point (and deadline) where every contributor knows that some known checks will be run, which also has the positive effect that people will do the work in time. > Regards, > > -Roberto cu Adrian
