LTS meeting notes

To: debian-lts@lists.debian.org
Subject: LTS meeting notes
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 25 Apr 2024 13:17:53 -0400
Message-id: <[🔎] ZiqQQQb4wfWF59md@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

Hello everyone.

Here are the notes from today's LTS meeting, with many thanks to Sylvain
for agreeing to act as the note taker.

Present:
- Roberto C. Sánchez
- Santiago Ruano
- Stefano Rivera
- Raphael Hertzog
- Sean Whitton
- Thorsten Alteholz
- Utkarsh Gupta
- Jochen Sprickerhof
- Sylvain Beucler
- Chris Lamb
- Guilhem Moulin
- Lee Garrett
- Kurt Kremitzki
- Bastien Roucariès

Apologies:
- Adrian Bunk
- Tobias Frost
- Holger Levsen
- Emilio Pozuelo Monfort

Discussion:

- jitsi.debian.social service is back online, now with OpenID
   authentication through your Salsa account

- Updates to documentation concerning CVE triage (roberto/beuc)
   - Current docs:
     https://lts-team.pages.debian.net/wiki/Development.html
   - Latest changes/diff:
     https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/commit/eaf1d75d7bc5e48ade06dda5f9d96e2c3f75b6e5
   - Changes summary / approach:
     https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/15

   Not only impacts FD but also all contributors (when working on a
   package update and making changes to data/CVE/list).

   This also confirms dropping <no-dsa> as discussed last meeting.

- End of buster-LTS recap/plans (following santiago's e-mail to
   customers this week)

   buster EOL end of June (June 30th)

   Try to work on bullseye & bookworm under the responsibility of
   secteam until bullseye-lts starts officially (August 15th)
   Cf. date at https://wiki.debian.org/LTS

   There's also non-security work to pick up during the transition.

   Raphaël: Also all paid LTS contributors are also ELTS contributors,
   so spending more time on ELTS is also an option. (As well as
   updating bullseye for no-dsa CVE that have been fixed in buster)

- Merging LTS/ELTS teams

   New policy: new contributors join both LTS & ELTS

   Pending coordinator work to finalize this.

- ELTS upload process/procedure changes (roberto)

   Cf. Helmut's mail for details.

   Always use full source upload.

   There's a dput-ng hook to remind you of it (also works for
   security-master
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826193).

- Action item still to be done (a.k.a I am late, sorry): Document the
   differences between salsa-ci's autopkgtest, ci.debian.net and
   ci.freexian.com, including testing of rdepends (rouca may review)
   (santiago)

   Still in progress (?)

- Ping for long-standing packages (santiago)

   Santiago requests for help on these pages: rails (utkarsh), docker,
   libssh, putty (rouca).

   samba is done at last! Including cross-distro effort to maintain
   a long-term branch for Samba.

- AOB

   - Git repository creation policy (santiago)

   Following Git issues with samba's git repository, do we want to move
   from fresh forks to maintainers' repo fork ?

   rouca: way to work-around some problems with aliased branches

   lee: depends if upstream uses standard gbp layout (e.g. uncommon
   patches-applied repo in samba), so sometimes a maintainer fork isn't
   the best option

   roberto: earlier, there was preference for fresh repos.

   Now we tend to favor repo forks

   Benefits of forking:

   - we can import LTS changes back to main repo and there's a single
     repo, easier to contribute back

   - git-blame works better (if maintainer imported the full upstream
     repo)

   - should save more space on Salsa

   - backporting changes from newer dists is easier

   But again, not necessarily the best in all situations.

   guilhem: also if an early +deb10uX was already uploaded using the
   old workflow (gbp import-dsc) then there is no point in changing the
   workflow for the next +deb10uY right? i see some value in changing
   preserving the history for a given suite, but the workflow can
   change for +deb11u1

- rouca: process for reviewing backport-incompatible changes that
   impact rdeps + how to make sure the upgrade to bullseye still works
   + how to handle customer customized packages

   santiago: we probably need to fix rdeps / impacted packages

   roberto: try fixing bullseye/bookworm along with buster to keep
   upgrades smooth

- rouca: SMTP smuggling / secure defaults

   some issue remain, sync'ing with Ubuntu

   issue happens only with customized user configuration

   => issue actually more complex, actually still under embargo => move
   to list to explain in further details

- rouca: secure defaults

   same issue with bluetooth stack: due to option not enabled by
   default

   enforce secure default or not?

   roberto: depends on severity of the issue

   rouca: this also depends on different impacts on different dists,
     which may lead to inconsistencies if fixed differently

   Raphaël Hertzog: At the same time, it seems like a per-package
   decision where we need agreement between package maintainers and
   security teams.

   Santiago: please; remind to document breaking changes in the
   debian/NEWS file

   Sean Whitton: debian/NEWS is nice but we can't be sure it'll be seen

   roberto: move discussion to mailing list

- Next meeting: Thursday 23rd May IRC

Thanks to everyone for participating!

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: freeimage and CVE-2019-12214
Previous by thread: LTS Team's samba git repository and forced push debian/buster branch
Next by thread: Debian LTS -- April 2024
Index(es):
- Date
- Thread