[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LTS progress so far [was: Draft announce of Debian 6 LTS, please review quickly]

On Tue, Jun 17, 2014 at 10:28:02AM +0200, Thorsten Alteholz wrote:
> On Mon, 16 Jun 2014, Moritz Muehlenhoff wrote:
>> Initially there needs to be an initial analysis of the data shown at
>> https://security-tracker.debian.org/tracker/status/release/oldstable
>> as described at the bottom of lts-needed.txt
> I hope I got everything now ...

For dsa-needed.txt we avoid adding the CVE IDs and only list the package names
since the general workflow in case of a DSA is to review all open issues.
This simplifies things.

>> First question: If an issue is tagged as <no-dsa> for wheezy by the security
>> team, shall we directly also tag is as <no-dsa> for squeeze or does anyone
>> want to classify this independently? ("we" as in Debian security team)
> If you say that a DSA is not needed for wheezy, I would say there isn't  
> one needed for squeeze.

Ok, unless some disagrees in the next days, we can establish that workflow.
Of course, issues tagged no-dsa can still be fixed if someone finds them
worth working on.

lts-needed.txt is rather for the "ok, I have some time, what should I work?"

>> Second question: If we add an issue to dsa-needed.txt, shall we also add it
>> to lts-needed (if that package is in squeeze) or does anyone want to classify
>> this independently?
> Would it make sense to add everything from dsa-needed as well as all 

It is better to use https://security-tracker.debian.org/tracker/status/release/oldstable
as a basis; some packages are not in oldstable or stable and some are EOLed.

> minor issues with no-dsa to lts-needed?

No, the whole point of dsa-needed.txt/lts-needed.txt is to only list the
not triaged as no-dsa, see the explanation at the bottom of lts-needed.txt
and my recent mail reply to Matt Palmer.


Reply to: