Hi Santiago, Thorsten, all Santiago have now removed all packages from dla-needed with is good considering buster is now EOL.
As a help to Thorsten I have gone through the entries we had and checked whether bullseye is considered vulnerable. My conclusion is that we should add back: - bind9 - dnsmasq - h2o - libreswan - nodejs - nss - squid The analysis is a quick analysis based on whether the package tracker tells "vulnerable" for bullseye and it was part of dla-needed in the past. This means that the package should be triaged further before updated. The rest of the packages in dla-needed have a "no DSA" or "ignored" statement for all the associated CVEs. I have not analyzed the non-free packages. They need extra attention since they are typically marked as no-dsa with the motivation that non-free is not supported but we have some packages in the packages-to-support list. Hope this helps. If you want I can prepare a commit that add back the above packages. Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------