Hi José I haven't put all the pieces together yet, but I think the sequence is as follows:
1. We need to say "We'll do it" in bug #1031046, and the bug needs to close. 2. Asterisk gets promoted to testing automatically? 3. If we make it to the freeze, it could be included in Trixie? 4. We backport and apply patches to testing every time a CVE comes up. 5. We continue applying patches and these land in testing, then get promoted to stable? Right now, I believe a DM or DD can action point 1, but I am neither of those. For point 3 I don't know exactly where patches are applied, since the current pkg-voip-team salsa repo only has branches for unstable (debian/latest)? I found another repo from the LTS team which seems to be where another copy of asterisk is maintained (but I think if a package goes to the LTS team, then it's on the bubble of bring dropped from stable). Per bug #1031046, we need to keep applying patches for 3 years (2 years of stable, 1 year of oldstable). And if we want the package to remain in Debian stable, we will need to secure oldstable and stable at the same time (potentially double the work). According to https://www.asterisk.org/downloads/security-advisories/, you can expect 3-10 reports per year from upstream. Debian packaging itself sometimes introduces security problems like https://salsa.debian.org/pkg-voip-team/asterisk/-/commit/0617fd6e42767ffef40aae56d6675c8234ba5081 A conservative estimate might be that we need to backport one patch every two weeks. I might be way off on all this, but that's my best guess so far. Martin
