Re: What are we supporting with LTS now? Please advice
Hey,
On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote:
> Hi Ola,
>
> adding the security team to CC to get some feedback from them
>
> Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist:
> > [...]
> > We (as LTS team) are obviously not responsible for buster yet.
> >
> > But are we responsible for anything? It looks like we are in a limbo.
> >
> > What should I triage as front desk?
> > - Stretch?
> > - Buster?
>
> Stretch is EOL and Buster triaging is currently the responsibility of the
> security team. What we still and always can do to support them is:
>
> - find more information about CVE
> - update the security tracker with additional information, links to patches,
> bug reports etc.
> - file bug reports and inform Debian maintainers about vulnerable packages
>
>
> - we just don't decide on the severity and whether a DSA will be announced, so
> please don't mark the CVE as ignored, no-dsa, etc. for now
Correct, thanks. When in doupt about commiting then something about
your findings in the tracker, feel free to ask the team alias as well.
> @ security team
>
> Just to make sure. How can someone from the LTS team help with fixing packages
> in dsa-needed.txt? What would be the correct procedure?
If a security-team external contributor wants to contribute an update
which is required as listed in dsa-needed, please just ping us at
team@s.d.o with either the intention, but then follow with debdiffs,
or propose the debdiff already. We will make a note in dsa-needed that
someone is working on an update. Do not self-assign entries in
dsa-needed as they are handled as who is releasing the DSA.
>
> I assume adding no-dsa packages to dla-needed.txt is OK if they can be included
> in the next Buster point release?
Do you mean dla-needed.txt really here? In any case If someone wants
to propose an update wich do not require a DSA and can be fixed in ap
oint release, there is no speicial coordination needed with the
security-team (thouch a CC would be appreciated in any case) and
simply the procedure for updtaing packages in stable and olstable can
be followed and propose the update to the Stable Release Managers.
But I assume you really meant here dla-needed as part of LTS
contributor's workflow to to mark interest in updating something in
buster?
Regards,
Salvatore
Reply to: