Debian LTS and ELTS - December 2020
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/services/debian-lts.html#sponsors LTS - mongodb: prepare EOL https://lists.debian.org/debian-lts-announce/2020/12/msg9.html - sympa - request CVE-2020-29668 - DLA 2499-1 https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html - coordinate and prepare DSA-4818, sync'ing 5 issues to buster https://www.debian.org/security/2020/dsa-4818 - awstats - request CVE-2020-29600 and CVE-2020-35176 - DLA 2506-1 https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html - xerces-c - DLA 2498-1, matching ELA-330-1 https://lists.debian.org/debian-lts-announce/2020/12/msg00025.html - coordinate and prepare DSA-4814, matching DLA 2498-1 https://www.debian.org/security/2020/dsa-4814 - imagemagick - more triage, clarify important issues with upstream and reporter - request CVE-2020-29599 clarify different vectors in each Debian version - Reactivity report: reference slowdowns due to upstreams https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/13 ELTS - mongodb: ensure no open medium/critical vulnerability affects jessie - xerces-c: ELA-330-1 https://deb.freexian.com/extended-lts/updates/ela-330-1-xerces-c/ - imagemagick: common work with LTS, determine jessie-specific vector - lxml: tidy triage - p11-kit: finish triage, not vulnerable -- Sylvain Beucler Debian LTS Team
(E)LTS report for November 2020
hi, in December 2020 I spent 3.5h managing (E)LTS contributors: - dispatching work hours for LTS and ELTS - preparing the monthly Freexian blog post published on raphaelhertzog.com - mail and irc communication, incl. - semi-automatic unclaim packages - too many claimed packages - missing DLAs on www.d.o - merging merge requests for webwml.git - announce EOL of mongodb in stretch via DLA-2482-1 -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Advice for DLA needed entry
Hi Adrian Thank you for this clarification. I obviously misread your note. I clarified it a little bit so maybe someone else does not make the same mistake as I did. I removed my own note asking whether the package should be removed from this file or not. I do not have a good solution to how we should handle this package in dla-needed. If we keep it in dla-needed we will constantly have people like me who think that something should be done when it is not claimed. If we do not add it to the dla-needed file we may get someone triaging it and add it again, and then people do not know that you have already semi-claimed it already. Should we write your name on the claim (because you do in practice have it claimed, but the problem here is that it will be a long claim, but that is not an issue if you keep adding notes) or should we write a fake claim like [semi-claimed pending buster backport] as claim name? Cheers // Ola On Thu, 31 Dec 2020 at 11:06, Adrian Bunk wrote: > On Wed, Dec 30, 2020 at 11:33:12PM +0100, Ola Lundqvist wrote: > > Hi > > > > Today I worked some on wireshark and concluded that all CVEs were > postponed > > for buster. So I did some research to check if they were applicable to > > stretch as well and added quite a few notes about this in the tracker. > > The fixes for the 2 new CVEs are trivial to backport, > I'll update my buster-pu request. > > > Now to my question. Should wireshark now be in dla-needed.txt? > > NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) > > What alternative would you suggest to inform other LTS contributors that > 14 CVEs were already fixed and why the upload to stretch is pending? > > >... > > Or should we even be before in LTS? > > Shipping a higher versioned package in oldstable than what is in > stable is problematic, versioning would have to be something like > 2.6.8-1.1~really2.6.20 > > But there is no need to hurry when nothing is considered serious enough > for a DSA. > > > Cheers > > > > // Ola > > cu > Adrian > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: Advice for DLA needed entry
On Sun, Jan 03, 2021 at 12:03:05AM +0100, Ola Lundqvist wrote: > Hi Adrian Hi Ola, >... > If we keep it in dla-needed we will constantly have people like me who > think that something should be done when it is not claimed. >... > Should we write your name on the claim (because you do in practice have it > claimed, but the problem here is that it will be a long claim, but that is > not an issue if you keep adding notes) or should we write a fake claim like > [semi-claimed pending buster backport] as claim name? NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) This is my note from November, and this is a fake claim. Before you've added your notes a month later this was the last note, and if you did not look at the bug before doing anything else that's something you should learn a lesson from. Usually people ask when a note is unclear. To avoid duplicate work, usually people ask before working on a package someone else seems to have worked on before. > Cheers > > // Ola cu Adrian
