Re: forward-ports to jessie and LTS transition coordination
On 2018-06-07 15:42:17, Chris Lamb wrote:
> Hi Antoine et al.,
>> After staring at that thing and trying to deal with a few of those, I am
>> a little unsure how to actually coordinate this work for now.
> I agree that that foo-needed.txt files are a little confusing right
> now. :)
> To ensure no duplicated work in the next week (or at least to minimise
> the risk...) I suggest that we:
> * File bugs in the BTS for CVEs that don't have them.
> * Tag them properly in data/CVE/list.
> * Quasi "claim" them by writing to the aforementioned bug numbers and, obviously, check there to co-ordinate/check before starting.
> * Work on preparing "regular" stable security updates for ACK by the
> security team, ie. follow the steps in the Developers Reference.
I'm not sure how that avoids duplicate work. Just writing to the BTS
does not make it very explicit that we're working on the package, unles
we explicitely say so ("hi, i'm working on this") or claim the bug
(`owner -1 me`) in the BTS, but of which will generate traffic that the
maintainer and bug watchers may not care about.
Furthermore, this will require duplicate if not massive changes to the
BTS for multiple CVEs. GM and Imagemagick, for example, have ~50 and ~75
CVEs each... I am not sure we want to deal with those in the BTS or that
it's even meaningful to do so in that context.
What do you think of the idea of using dla-needed.txt immediately for
> Other work that can be done in the meantime include improving our
> triage scripts -- I still have a half-draft of the "renamed packages"
> script, for example.
Is that the one you sent this gist for?
Was there any change done to those?
> IIRC I believe the subject to search for is "Improvement needed to our
> triaging scripts".
I can certainly take a look at those again!
Thanks for the tip.
Je viens d'un pays où engagé veut dire que tu t'es trouvé une job.
- Patrice Desbiens