[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

my LTS December

repost from http://layer-acht.org/thinking/blog/20150106-lts-december-2014/
(it's better formatted there)

# My LTS December

In December 2014 I spent 11h on Debian LTS work and managed to get six DLAs 
released and another one almost done... I did:

 * Release [DLA 103-1](https://lists.debian.org/debian-lts-
announce/2014/12/msg00020.html) which was previously prepared by [Ben]
november-2014/) and [myself](http://layer-acht.org/thinking/blog/20141201-lts-
november-2014/). So while for this release in December I only had to review 
one patch, I also had to build the package, provide prelimary .debs, ask for 
feedback, do some final smoke tests, write the announcement and do the upload. 
In total this still took 2.5h to "just release it"...
 * Doing [DLA 114-1](https://lists.debian.org/debian-lts-
announce/2014/12/msg00015.html) for bind9 was rather straightforward,
 * As was [DLA 116-1](https://lists.debian.org/debian-lts-
announce/2014/12/msg00018.html) for ntp, which I managed to release within one 
hour after the DSA for wheezy, despite me having to make the patch apply 
cleanly due to some openssl differences... ;-)
 * I mentioned the bit about openssl because noone ever made a mistake with 
such patches. Seriously, I mean: I would welcome a public review system for 
security fixes. We are all humans and we all make mistakes. I do think my ntp 
patching was safe, but... mistakes happen.
 * [DLA 118-1](https://lists.debian.org/debian-lts-
announce/2014/12/msg00020.html) was basically "just" a new kernel 
update, which I almost released on my own, until (thankfully) Ben helped me 
wih one patch from .65 not applying (a fix for a wrong fix which Debian 
already had correctly fixed), which was due to a patch not correctly removed 
due to linenumber changes. And while I was still wrapping my head around 
applying+deapplying these very similar looking patches, Ben had already 
commited the fix. I'm quite happy with this sharing the work, due to the 
following benefits: a.) Ben can spend more time on important tasks and b.) the 
LTS user get more kernel security fixes faster. 
 * [DLA 119-1](https://lists.debian.org/debian-lts-
announce/2014/12/msg00021.html) for subversion was a rather straight forward 
take from the wheez DSAs again, I just had to make sure to also include the 
2nd regression fixing DSA.
 * And then, I failed to finish my work on a jqueryui update before [31c3]
(http://media.ccc.de/browse/congress/2014/) started. And 31c3 really only 
ended yesterday when I helped putting stuff on trucks and cleaned the big 
hall... So that's also why I'm only writing this blog post now, and not two 
weeks ago, like I probably better had. Anyway, according to the security-
tracker jqueryui is affected by two CVEs and that's wrong: [CVE-2012-6662]
(https://security-tracker.debian.org/tracker/CVE-2012-6662) does not affect 
the squeeze version. [CVE-2010-5312](https://security-
tracker.debian.org/tracker/CVE-2010-5312) on the other hand affects the 
squeeze version, I know how to fix it, I just lacked a quiet moment to prepare 
my fix properly and test it, and so I've rather postponed doing so during 
31c3... so, expect a DLA for jqeuryui very soon now!

Thanks to everyone who is supporting Squeeze LTS in whatever form! Even just 
expressing that you or the company or project you're working with is using 
LTS, is useful, as it's always nice to hear once work is used and appreciated. 
If you can contribute more, please do so. If you can't, that's also fine. It's 
free software after all :-)

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: