See answers below.
Hi all,
the last days I found the data/dla-needed.txt in the security-tracker
Git repo rather empty, no new work-needing packages have been added by
LTS frontdesk and I wonder the following things:
* are we behind with LTS CVE triaging?
No I would not say so. There are two packages to analyze faad2 and jasper but I think the status is good.
* is the security team behind with CVE triaging and LTS waits
for the security team to triage issues first?
No
* is extra CVE triaging for LTS only?
Not sure what you mean with this.
* is extra CVE triaging required for non-LTS and the security
team could need a hand?
That could be the case. There are 7 packages not triaged in non-LTS that have been triaged for LTS.
When I look into the output of bin/lts-cve-triage.py, I see many CVE
issues with state "undetermined" for jessie. When I look into the
security-tracker's WebUI, it shows that most of them are also
undetermined for all other versions of Debian.
Overall question, do we have spots in our workflow where man power is
needed right now other than with fixing packages?
Yes it is always good to check the "undetermined" issues. It would be good to conclude whether they can be determined.
Usually it is not easy to do so, but I think it is worth spending time on that if we have time available.
// Ola
Thanks+Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de