On 20.10.2016 16:26, Holger Levsen wrote: > On Thu, Oct 20, 2016 at 03:59:53PM +0200, Santiago Vila wrote: >> But I'm a little bit surprised that the whole story begins in wheezy LTS. >> Should this not start in unstable with a bug report? > > this often happens when there was a CVE with or without a bug filed and > noone uploaded a fix. then, at some point, the LTS team comes around and > is paid to fix this in LTS… > > I also think it would be better to always (well, unless the package is > gone) make sure this is fixed in unstable first and then in LTS but I > dont think this is an individual question but rather think this should > be addressed by implementing it as mandatory part of the LTS workflow. Fixing bugs in unstable or any other suite in Debian is not a part of Wheezy LTS. That doesn't mean that other Debian releases don't benefit from LTS work too. When the versions are quite similar in different distributions it is often just as simple as applying the LTS debdiff on Jessie/Stretch or unstable again. Fixing a package in unstable might require a completely different approach compared with Wheezy, a new upstream release or fixing a totally different code base. Usually the security team files the bug report against the affected package. There is even a template that can be used for this task. I wouldn't mind filing those bug reports when nobody from the security team has found the time to do so yet but then we should also clarify if they appreciate this foray because determining the bug severity is clearly their domain. A suitable compromise would be that we file all bug reports with severity important and they can later check whether it should be release critical. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature