Re: Question and proposed change for lts-cve-triage.py

To: Sylvain Beucler <beuc@beuc.net>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Question and proposed change for lts-cve-triage.py
From: Anton Gladky <gladk@debian.org>
Date: Tue, 17 May 2022 15:37:09 +0200
Message-id: <[🔎] CALF6qJnKcN_vKCDkXcyEwYvBt79n1YjOWa3X_w3vSN6nUmmLHw@mail.gmail.com>
In-reply-to: <[🔎] f545e6ba-da70-2319-e78f-5f5f67a920fd@beuc.net>
References: <[🔎] CABY6=0k+NfUO0ZRe0-+WMCHzxh1ULXZjCY7dB6mBV+EzVtLBuw@mail.gmail.com> <[🔎] f545e6ba-da70-2319-e78f-5f5f67a920fd@beuc.net>

As far as I understand all of those packages can be
added into the dla-needed without pre-review? Why not just
put all of them together.

OK, maybe with the short note "needs manual checking" or
similar.

Regards

Anton

Am Di., 17. Mai 2022 um 14:43 Uhr schrieb Sylvain Beucler <beuc@beuc.net>:
>
> Hi,
>
> On 17/05/2022 08:44, Ola Lundqvist wrote:
> > When doing triaging this week as part of the front desk assignment I
> > realized that the lts-cve-triage.py script outputs the following
> > section "Other issues to triage for stretch (not yet triaged for
> > buster)" after "Issues postponed for stretch, but fixed in buster via
> > DSA or point releases".
> >
> > I think people before me have missed to help with that triaging
> > because that list of packages to check is long. At least it is easy to
> > miss it.
>
> See https://lists.debian.org/debian-lts/2022/04/msg00011.html for
> context. I also talked about it during the monthly meeting.
>
> "Issues postponed for stretch, but fixed in buster via DSA or point
> releases" is a long section because it's new, it shouldn't stay that way.
>
> I'm not sure why the past few front-desk didn't tackle it already
> despite the above communications, in any case I plan to tackle it during
> my FD slot next week if nobody beats me to it.
>
>
> > Now to the question. Do we generally wait for the Debian Security team
> > to do their analysis before LTS do it? If that is the case, the
> > current list makes sense. If not I think my proposed change should be
> > done.
> >
> > I have done a change so that "Issues postponed for stretch, but fixed
> > in buster via DSA or point releases" is much further down in the list
> > because it is generally not so important for triaging work, compared
> > to the other ones.
> >
> > Any objections? If not, I'll commit the change tomorrow.
>
> This section is where we are late compared to stable/oldstable, where
> CVEs are already fixed and published in Debian, but not in Debian LTS,
> sometimes months after.
>
> This sounds more urgent to me than checking untriaged CVEs, hence why
> it's output before.  So I'd keep the ordering as-is.
>
> Cheers!
> Sylvain Beucler
> Debian LTS Team
>

Reply to:

Follow-Ups:
- Re: Question and proposed change for lts-cve-triage.py
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Question and proposed change for lts-cve-triage.py
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Question and proposed change for lts-cve-triage.py
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Question and proposed change for lts-cve-triage.py
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Question and proposed change for lts-cve-triage.py
Next by Date: Re: CVE-2020-8859 for elog, should we support it?
Previous by thread: Re: Question and proposed change for lts-cve-triage.py
Next by thread: Re: Question and proposed change for lts-cve-triage.py
Index(es):
- Date
- Thread