[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Git][security-tracker-team/security-tracker][master] 8 commits: Wrote a script to bulk add EOL entries for LTS buster.

Hi Emilio

Sorry for this. I used the lts-cve-triage.py script and noticed a ton
of things to do.

I checked this page https://wiki.debian.org/LTS.

And it says "July, 2022 to June, 2024", so this was why I drew the
conclusion that we had already taken over the security support for
buster. Reading more in the email chains I realize I was wrong in that
conclusion.

I guess this page was updated a little too early, or at least not with
enough precision.

Do we have a date for buster takeover?

I found a discussion in my email log from a few days ago and it
mentions that buster will have a point release in August.

// Ola


On Tue, 12 Jul 2022 at 00:31, Emilio Pozuelo Monfort <pochu@debian.org> wrote:
>
> Hi Ola,
>
> On 11/07/2022 23:24, Ola Lundqvist (@opal) wrote:
> >
> >
> > Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
> >
> >
> > Commits:
> > 55001d9c by Ola Lundqvist at 2022-07-11T23:23:41+02:00
> > Wrote a script to bulk add EOL entries for LTS buster.
> >
> > - - - - -
> > b4c0adda by Ola Lundqvist at 2022-07-11T23:23:43+02:00
> > Bulk added EOL entries for ckeditor3 for LTS buster.
> >
> > - - - - -
> > 141f38d2 by Ola Lundqvist at 2022-07-11T23:23:44+02:00
> > Bulk added almost 70 EOL entries for gpac in LTS buster.
> >
> > - - - - -
> > a577308d by Ola Lundqvist at 2022-07-11T23:23:45+02:00
> > Bulk added EOL for 3 CVEs for libspring-java in buster LTS.
> >
> > - - - - -
> > d3c2727d by Ola Lundqvist at 2022-07-11T23:23:46+02:00
> > Bulk added EOL for 2 CVEs for node-tar in buster LTS.
> >
> > - - - - -
> > 58366339 by Ola Lundqvist at 2022-07-11T23:23:48+02:00
> > Bulk added EOL for 2 CVEs for node-url-parse in buster LTS.
> >
> > - - - - -
> > 021ec750 by Ola Lundqvist at 2022-07-11T23:23:48+02:00
> > One correction to the eol bulk add script. Also simplified the output to make it less verbose.
> >
> > - - - - -
> > 22d9f630 by Ola Lundqvist at 2022-07-11T23:23:49+02:00
> > Bulk added EOL for 12 CVEs for nodejs in buster LTS.
>
> buster is not LTS yet, so all of that triaging seems wrong to me, unless you
> have cleared that with the security team. If you have not, please revert it as
> those packages are still supported in buster.
>
> Also, I don't know what you based all of those EOL entries on, but I don't see
> those packages being EOL in buster. Please start a discussion on the LTS list
> before doing that. If there's one and I missed it, please point me to it.
>
> Cheers,
> Emilio



-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     ola@inguza.com                  \
|  http://inguza.com/                  +46 (0)70-332 1551       |
 ---------------------------------------------------------------
Reply to: