Hello everyone.
Here are the notes from today's LTS meeting, with many thanks to Sylvain
for agreeing to act as the note taker.
Present:
- Roberto C. Sánchez
- Santiago Ruano
- Stefano Rivera
- Raphael Hertzog
- Sean Whitton
- Thorsten Alteholz
- Utkarsh Gupta
- Jochen Sprickerhof
- Sylvain Beucler
- Chris Lamb
- Guilhem Moulin
- Lee Garrett
- Kurt Kremitzki
- Bastien Roucariès
Apologies:
- Adrian Bunk
- Tobias Frost
- Holger Levsen
- Emilio Pozuelo Monfort
Discussion:
- jitsi.debian.social service is back online, now with OpenID
authentication through your Salsa account
- Updates to documentation concerning CVE triage (roberto/beuc)
- Current docs:
https://lts-team.pages.debian.net/wiki/Development.html
- Latest changes/diff:
https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/commit/eaf1d75d7bc5e48ade06dda5f9d96e2c3f75b6e5
- Changes summary / approach:
https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/15
Not only impacts FD but also all contributors (when working on a
package update and making changes to data/CVE/list).
This also confirms dropping <no-dsa> as discussed last meeting.
- End of buster-LTS recap/plans (following santiago's e-mail to
customers this week)
buster EOL end of June (June 30th)
Try to work on bullseye & bookworm under the responsibility of
secteam until bullseye-lts starts officially (August 15th)
Cf. date at https://wiki.debian.org/LTS
There's also non-security work to pick up during the transition.
Raphaël: Also all paid LTS contributors are also ELTS contributors,
so spending more time on ELTS is also an option. (As well as
updating bullseye for no-dsa CVE that have been fixed in buster)
- Merging LTS/ELTS teams
New policy: new contributors join both LTS & ELTS
Pending coordinator work to finalize this.
- ELTS upload process/procedure changes (roberto)
Cf. Helmut's mail for details.
Always use full source upload.
There's a dput-ng hook to remind you of it (also works for
security-master
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826193).
- Action item still to be done (a.k.a I am late, sorry): Document the
differences between salsa-ci's autopkgtest, ci.debian.net and
ci.freexian.com, including testing of rdepends (rouca may review)
(santiago)
Still in progress (?)
- Ping for long-standing packages (santiago)
Santiago requests for help on these pages: rails (utkarsh), docker,
libssh, putty (rouca).
samba is done at last! Including cross-distro effort to maintain
a long-term branch for Samba.
- AOB
- Git repository creation policy (santiago)
Following Git issues with samba's git repository, do we want to move
from fresh forks to maintainers' repo fork ?
rouca: way to work-around some problems with aliased branches
lee: depends if upstream uses standard gbp layout (e.g. uncommon
patches-applied repo in samba), so sometimes a maintainer fork isn't
the best option
roberto: earlier, there was preference for fresh repos.
Now we tend to favor repo forks
Benefits of forking:
- we can import LTS changes back to main repo and there's a single
repo, easier to contribute back
- git-blame works better (if maintainer imported the full upstream
repo)
- should save more space on Salsa
- backporting changes from newer dists is easier
But again, not necessarily the best in all situations.
guilhem: also if an early +deb10uX was already uploaded using the
old workflow (gbp import-dsc) then there is no point in changing the
workflow for the next +deb10uY right? i see some value in changing
preserving the history for a given suite, but the workflow can
change for +deb11u1
- rouca: process for reviewing backport-incompatible changes that
impact rdeps + how to make sure the upgrade to bullseye still works
+ how to handle customer customized packages
santiago: we probably need to fix rdeps / impacted packages
roberto: try fixing bullseye/bookworm along with buster to keep
upgrades smooth
- rouca: SMTP smuggling / secure defaults
some issue remain, sync'ing with Ubuntu
issue happens only with customized user configuration
=> issue actually more complex, actually still under embargo => move
to list to explain in further details
- rouca: secure defaults
same issue with bluetooth stack: due to option not enabled by
default
enforce secure default or not?
roberto: depends on severity of the issue
rouca: this also depends on different impacts on different dists,
which may lead to inconsistencies if fixed differently
Raphaël Hertzog: At the same time, it seems like a per-package
decision where we need agreement between package maintainers and
security teams.
Santiago: please; remind to document breaking changes in the
debian/NEWS file
Sean Whitton: debian/NEWS is nice but we can't be sure it'll be seen
roberto: move discussion to mailing list
- Next meeting: Thursday 23rd May IRC
Thanks to everyone for participating!
Regards,
-Roberto
--
Roberto C. Sánchez
