Hi, El 08/12/24 a las 07:30, Adrian Bunk escribió: > On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote: > > Hello everyone, > > Hi Roberto, > > > The Security Team has supplied a list of packages/CVEs which were fixed > > by DLA (some in bullseye and some in buster) but which remain unfixed in > > bookworm (and which are tagged no-dsa, indicating that the Security Team > > has no immediate plans to address them). > > note that these are only the tip of the iceberg. > > There are also packages that were DLA-fixed in buster and > pu-fixed or unstable-fixed in bookworm, but are unfixed > in bullseye despite being supported there. > > Or older ones, that are e.g. fixed in jessie but not in stretch. > > Is this something you or I or someone else should review?
I have this is my ToDo list, but help is always welcome. Let me know if you are willing to do it. > > I have done my best to carefully document for each package the CVE(s) > > which are involved. In the cases where a bullseye DLA is needed, I have > > also added the package to dla-needed.txt (along with a link to the > > related Salsa issue). For packages which were last updated in 2024, I > > have gone ahead and assigned the issue in Salsa to the same individual > > that prepared the last DLA. For older DLAs I did not do this, but rather > > tagged the individual or individuals who prepared the applicable DLAs. > >... > > Can we please maintain this information in dla-needed only, > and not have different information in different places? > > I initially missed this email, and noticed only quite late that a > package I picked in dla-needed was already supposed to be assigned. > > If you consider a DLA incomplete due to missing upload to pu, > you could just assign it to the person who is supposed to fix it. > > Or add it unassigned. > > Everyone and all tooling is used to dla-needed containing the > authoritative information. [snip] To be discussed. The issue with dla-needed (in its current form) and bookworm point updates is that dla-needed is aimed at the LTS release. Yes, our workflow and tools can be improved, but I believe we are doing a good work (and thanks to all the team for that)! Cheers, -- Santiago
signature.asc
Description: PGP signature
