Debian LTS and ELTS - August 2024

[Sylvain Beucler]

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- ruby2.7
  - Finish backporting and testing security fixes
  - Postpone fix for new DoS CVEs (as in Debian Stable bookworm)
  - Submit packaging fix to Ruby Team
    https://salsa.debian.org/ruby-team/ruby/-/merge_requests/6
  - Prepare DLA, but bullseye-lts couldn't get opened during August

- Front Desk (weeks 32 & 33)
  - Prepare for bullseye LTS, planned 2024-08-15
  - Add 60+ candidate packages to future LTS work queue
    - Move packages from bullseye-oldstable to bullseye-lts, import history/age
    - Identify bullseye packages lacking bookworm fixes
  - Identify some end-of-life and unsupportable packages
    - Help remove end-of-life packages (snort, salt) from the archive
    - Coordinate EOL for gpac, pypy[v2], jython
      https://lists.debian.org/debian-lts/2024/08/msg00014.html
      https://lists.debian.org/debian-lts/2024/08/msg00005.html
    - Update 'debian-security-support' (reference database and tool)
      
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/25
      
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/26
      
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/27
      
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/28
  - Help make past build logs public, to help debug future build failures
    https://lists.debian.org/debian-lts/2024/08/msg00040.html
  - Notify about incorrect upload to buster (shim-signed)
  - Recheck patch availability for qemu CVEs and ease future passes
  - LTS uploads not opened on 2024-08-15: help investigate and mitigate


ELTS

- ruby2.1/ruby2.3/ruby2.5
  - Backport security fixes
  - Further stabilize test suites, including on salsa-ci and ci.freexian.com
  - Postpone fix for new DoS CVEs (as in Debian Stable bookworm)
  - ELAs 1148-1, 1149-1, 1150-1
    https://www.freexian.com/lts/extended/updates/ela-1148-1-ruby2.1/
    https://www.freexian.com/lts/extended/updates/ela-1149-1-ruby2.3/
    https://www.freexian.com/lts/extended/updates/ela-1150-1-ruby2.5/

- Front-Desk (weeks 32 & 33)
  - Adjust package affected suites (jessie/stretch/buster) following
    buster switch to ELTS and newly supported packages
  - Mark 25 supported packages for update
  - Drop 1 out-of-support package (pdns-recursor)
  - Associate CVEs from newer, branched Debian packages with different
    names to older ELTS packages (golang*, jetty*, mariadb*, openssl*,
    postgresql*, pypy*, sqlite*, squid*, tomcat*, unbound*)
  - Adjust list of renamed packages to track, following buster switch to ELTS
  - Triage or precise triage for a 10+ CVEs
  - Help contributors with upload and triage specifics


Documentation and tooling

- Tooling
  - lts-cve-triage.py: use debian-security-support reference branch
    
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/785fb38a6165369d20bcd4897bcb10dd33e574c5
  - package-operations (internal tool)
    - add bullseye-lts dist
    - avoid truncating text information during GUI-based updates
    - find-work: better handle package age (notably today/0-day)
  - pyxian (internal tool)
    Avoid confusion and make 'freexian available' point to 'find-work'

- ci.freexian.com
  - Investigate and report incomplete reverse-dependency testing
    (see also documentation below)
  - Help improve testing report (a.k.a. "excuses")

- salsa-ci (continuous integration)
  - Piuparts: fix APT suites discrepancies (causes tests failures)
    (Last month's work now merged)
    https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
    https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/524
  - Comment on piuparts proposal
    https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/370#note_512969

- salsa-ci: ELTS fork
  - Report issue with docker (already fixed in salsa-team's pipeline)
    https://salsa.debian.org/lts-team/pipeline/-/issues/11
  - Help testing merging salsa-ci from salsa-team to ELTS' fork
  - autopkgtest: answer request for help with old dists
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078445#10

- LTS Documentation
  - Development
    Fix and clarify test section
    https://lts-team.pages.debian.net/wiki/Development.html#test-the-update
    Link samueloph's DebConf24 talk
    https://lts-team.pages.debian.net/wiki/Development.html#tips-tools
    
https://debconf24.debconf.org/talks/93-fixing-cves-on-debian-everything-you-probably-know-already/
  - TestSuites: ruby: notes on Freexian CI
    https://lts-team.pages.debian.net/wiki/TestSuites/ruby.html

- ELTS Documentation (internal)
  - Clarify documentation for freexian.ci.com (staging area for testing ELAs)
    - Investigate britney2-based internal workflow and expected tests
    - Detail expected behavior and caveats
    - Document usage of autodep8 triggering unexpected tests
      https://manpages.debian.org/unstable/autodep8/autodep8.1.en.html
  - How to create an arm* VM from an AMD64 host, for testing purposes,
    using debvm-create

- Monthly team meeting (through Jitsi)
  Acted as secretary
  https://lists.debian.org/debian-lts/2024/08/msg00041.html


-- 
Sylvain Beucler
Debian LTS Team