[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Long term improvement to Debian's security and LTS


> On Fri, Oct 30, 2015 at 03:01:47PM +0100, Raphael Hertzog wrote:
> > Hello everybody,
> > 
> > with the current LTS funding level and the somewhat limited scope of squeeze,
> > and until the LTS team takes care of wheezy, we are likely to have some
> > spare hours to invest into improving the long-term state of Debian LTS.
> > 
> > That is instead of only taking care of providing security fixes we could
> > work a few hours on:
> > - improving the security infrastructure

That has certainly the best net positive from my point of view.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796095 and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796784 are bugs
which would make our lives easier.

Also the orig tarball handling is quite an nuisance (no bug for
that, but outlined here:

I'm not sure whether that can be speeded up by submitting patches
from the LTS team or rather be reaching out whether FTP masters
can work on that on a paid basis.

> > - adding DEP-8 tests to packages with regular security updates

Or rather have the proper infrastructure integrated into the
security workflow so that the tests are automatically executed
and test results are send around (compared to the previous status).

> > - work on security features targeting stretch packages

That's all fairly well covered since people rather like to work
on new thungs rather than maintaining the old. E.g. rootless x
is already implemented in stretch. There are some worthwhile tasks
in terms of upstream work, but not's not in the scope of some
unused LTS hours.

> > - work on stretch to make sure it can be supported over 5 years
> >   (trying to identify packages which are too old/unsupported)

That's also more or less covered I think. Release team is usually
very supportive to these kinds of request. Most of the problems
we have a mindset problems at various upstreams.


Reply to: