[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Tracking related source packages


During today's meeting we discussed how to track CVEs in related
source packages.  For instance unbound vs. unbound-1.9, or golang
(ELTS) vs. golang-1.7/golang-1.8 (LTS) vs. golang-1.11.

We may miss/delay affected packages due to this, unless the front-desk
is already aware of all related packages. All the more when Security
Team stops tracking a package (ELTS).


- This problem is similar/related to tracking embedded code copies.
  See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/2
  With one difference: there's no reference source package.

- This is hard / doesn't make sense to fully automate.
  Security Team expressed opposition to such automation in the past.

- Approaches:

  - As an aid to front-desk triaging: display packages related to
    other packages in the triage scripts, for consideration

  - Add a multi-package view on the security tracker, so it's clear
    which CVEs are not tracked in each related source package,
    (similar to the standard single-source-package view, with one
    column per package but 1-2 Debian versions max per package anyway)

  - Restructure the embedded copies (Markus suggestion)

- Security Team handles this issue manually, and with package
  maintainers input, as far as we can tell, but they should have the
  same issue overall so there's possible synergy.

Feel free to follow-up on the discussion here.


Reply to: