Re: LTS progress so far [was: Draft announce of Debian 6 LTS, please review quickly]
On Fri, Jun 13, 2014 at 03:39:59PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jun 13, 2014 at 03:15:31PM +0200, Holger Levsen wrote:
> > Hi,
> > On Freitag, 13. Juni 2014, Raphael Hertzog wrote:
> > > Please review the attached draft, share your comments and let me know if I
> > > missed your company.
> > I don't like the focus / expressed view that LTS is made possible by
> > sponsoring organisations rather than volunteers. I think it sets a bad
> > precedence.
> * There have been five updates so far:
> 3/5 have been released by existing security team members and we've always
> stated that we help to get this started, but it needs to be self-hosting
I was under the impression that security team members were releasing
updates for LTS alongside the rest of the distributions, where those team
members were also interested in LTS. I'd be happy to backport security
fixes from wheezy to squeeze, if they weren't already done.
> * Noone has taken care of the linux-2.6 update, although all the patches
> have been prepared and Carlos has made various tests
For me at least, the idea of doing a kernel security update is slightly
daunting. And, up until the last few days, there was a big comment in the
top of lts-needed.txt that said that linux-2.6 updates were tracked
separately, which led me to believe it was being taken care of.
I'll get onto this. (lts-needed.txt updated)
> * Noone is taking care of updating lts-needed.txt or other triage
I'd be happy to contribute to this, except I'm not sure *how*. Is it a
matter of watching mailing lists (if so, which ones?) and adding issues as
they're reported? Reloading the security-tracker page a couple of times a
day and manually comparing the two lists (that seems... inefficient)?
Watching changes to dsa-needed.txt and copying across the ones that match
(slightly less inefficient)? So far, I've been watching for DSAs that don't
get a matching LTS update (but which appear vulnerable in squeeze) and
working on those.
> So, from my view it's fairly obvious that Debian LTS will only be sustainable
> if there's an ongoing base of sponsored work.
Is that how the current security team operates, on sponsored work (I ask
that legitimately -- I have no idea)? If so, then yes, it's fairly unlikely
that LTS will survive based entirely on volunteer effort. On the other
hand, if the security team manages to produce the fine work it does
primarily volunteer labour, it wouldn't seem impossible that LTS could do
Please remember that the non-security-team members of the LTS effort are (I
presume) all total n00bs at doing security work, so it's not *entirely*
surprising we're not going to be great at it at first. What would really
help *me*, at least, is if you notice things not working up-to-spec, you
call them out (like you've done here) and help those of us who say "yep,
that sucks, how can we do it better?" to get better.