repost from http://layer-acht.org/thinking/blog/20150106-lts-december-2014/ (it's better formatted there) # My LTS December In December 2014 I spent 11h on Debian LTS work and managed to get six DLAs released and another one almost done... I did: * Release [DLA 103-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00020.html) which was previously prepared by [Ben] (http://womble.decadent.org.uk/blog/debian-lts-work-december-2014.html), [Raphael](http://raphaelhertzog.com/2014/12/02/my-free-software-activities-in- november-2014/) and [myself](http://layer-acht.org/thinking/blog/20141201-lts- november-2014/). So while for this release in December I only had to review one patch, I also had to build the package, provide prelimary .debs, ask for feedback, do some final smoke tests, write the announcement and do the upload. In total this still took 2.5h to "just release it"... * Doing [DLA 114-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00015.html) for bind9 was rather straightforward, * As was [DLA 116-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00018.html) for ntp, which I managed to release within one hour after the DSA for wheezy, despite me having to make the patch apply cleanly due to some openssl differences... ;-) * I mentioned the bit about openssl because noone ever made a mistake with such patches. Seriously, I mean: I would welcome a public review system for security fixes. We are all humans and we all make mistakes. I do think my ntp patching was safe, but... mistakes happen. * [DLA 118-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00020.html) was basically "just" a new 2.6.32.65 kernel update, which I almost released on my own, until (thankfully) Ben helped me wih one patch from .65 not applying (a fix for a wrong fix which Debian already had correctly fixed), which was due to a patch not correctly removed due to linenumber changes. And while I was still wrapping my head around applying+deapplying these very similar looking patches, Ben had already commited the fix. I'm quite happy with this sharing the work, due to the following benefits: a.) Ben can spend more time on important tasks and b.) the LTS user get more kernel security fixes faster. * [DLA 119-1](https://lists.debian.org/debian-lts- announce/2014/12/msg00021.html) for subversion was a rather straight forward take from the wheez DSAs again, I just had to make sure to also include the 2nd regression fixing DSA. * And then, I failed to finish my work on a jqueryui update before [31c3] (http://media.ccc.de/browse/congress/2014/) started. And 31c3 really only ended yesterday when I helped putting stuff on trucks and cleaned the big hall... So that's also why I'm only writing this blog post now, and not two weeks ago, like I probably better had. Anyway, according to the security- tracker jqueryui is affected by two CVEs and that's wrong: [CVE-2012-6662] (https://security-tracker.debian.org/tracker/CVE-2012-6662) does not affect the squeeze version. [CVE-2010-5312](https://security- tracker.debian.org/tracker/CVE-2010-5312) on the other hand affects the squeeze version, I know how to fix it, I just lacked a quiet moment to prepare my fix properly and test it, and so I've rather postponed doing so during 31c3... so, expect a DLA for jqeuryui very soon now! Thanks to everyone who is supporting Squeeze LTS in whatever form! Even just expressing that you or the company or project you're working with is using LTS, is useful, as it's always nice to hear once work is used and appreciated. If you can contribute more, please do so. If you can't, that's also fine. It's free software after all :-)
Attachment:
signature.asc
Description: This is a digitally signed message part.