On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > > For more context: at a point LTS got negative feedback from Debian about > making too frequent DLAs for low-priority CVEs (resulting in more > maintenance/restart work for sysadmins around the globe), and negative > feedback from Freexian about making such releases instead of handling > packages with more severity or age. > > Conversely, this thread is about fixing many low/mid-priority (no-dsa) CVEs, > and not in LTS but in Stable. > > As a contributor, and as FD, I'm now unsure of what to include in DLAs. > I went back and forth about whether to continue responding in this thread. These are issues that resurface from time to time and we have not managed to come to a satisfying resolution. It would be nice if we could achieve that, but the technical limitations conspire against us.
The main "problem" is that because there is no proposed-updates queue for LTS packages, for every CVE/package we must choose between two options: fix it now, or don't fix it now (which can mean fix it later, or never fix it). We have generally leaned in the direction of "fix it now" for all the CVEs which would be handled by DSA (if secteam were doing the work) plus all the CVEs which would be handled by proposed-updates (if the maintainers were doing that work). The drawback of this is that it is much noisier and more disruptive for users. The final bullseye point release updated more than 4 dozen packages. During the two months between the release of 11.10 and 11.11, there were 38 DSAs. I didn't check to see if they all touched bullseye, but let's assume that they did. If we as the LTS Team did that same work via DLAs, we would be looking at nearly 90 DLAs over the course of 60 days. So, I can understand the negative feedback about too high a frequency of DLAs for low priority CVEs. So, what can we do? I have spoken to the debusine team and this is actually something that debusine will enable us to manage better. We will eventually be able to use debusine to have our own simulated proposed-updates queue which we can then use to periodically batch-release multiple low priority package updates. But in the meantime, we have to do something. That something seems like it would be to tackle the low/mid priority CVEs alongside other high priority CVEs that would warrant a DLA on their own. For the same low/mid priority CVEs affecting stable, we help out through the proposed-updates process (offering to help the maintainer and coordinate w/ SRM). In summary: let's not prepare DLAs for only one or two low priority CVEs (for the reasons discussed above), but let's certainly include the fixes when fixing other high priority CVEs. This should be fairly close to what we are already doing. -- Roberto C. Sánchez
