Re: What are we supporting with LTS now? Please advice

To: Markus Koschany <apo@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, team <team@security.debian.org>
Subject: Re: What are we supporting with LTS now? Please advice
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 12 Jul 2022 19:24:22 +0200
Message-id: <[🔎] Ys2uRoZzViJmfkSa@eldamar.lan>
Mail-followup-to: Markus Koschany <apo@debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, team <team@security.debian.org>
In-reply-to: <[🔎] a9f1682204bb4e39e8ee1d21f30e691b25f24911.camel@debian.org>
References: <[🔎] CABY6=0mroFUD03Ste=MUCVkx1izHjjzjXkyPMkoBBoJTac-sXA@mail.gmail.com> <[🔎] a9f1682204bb4e39e8ee1d21f30e691b25f24911.camel@debian.org>

Hey,

On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote:
> Hi Ola,
> 
> adding the security team to CC to get some feedback from them 
> 
> Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist:
> > [...]
> > We (as LTS team) are obviously not responsible for buster yet.
> > 
> > But are we responsible for anything? It looks like we are in a limbo.
> > 
> > What should I triage as front desk?
> > - Stretch?
> > - Buster?
> 
> Stretch is EOL and Buster triaging is currently the responsibility of the
> security team. What we still and always can do to support them is:
> 
>  - find more information about CVE
>  - update the security tracker with additional information, links to patches, 
>    bug reports etc.
>  - file bug reports and inform Debian maintainers about vulnerable packages 
> 
> 
> - we just don't decide on the severity and whether a DSA will be announced, so
> please don't mark the CVE as ignored, no-dsa, etc. for now

Correct, thanks. When in doupt about commiting then something about
your findings in the tracker, feel free to ask the team alias as well.

> @ security team
> 
> Just to make sure. How can someone from the LTS team help with fixing packages
> in dsa-needed.txt? What would be the correct procedure?

If a security-team external contributor wants to contribute an update
which is required as listed in dsa-needed, please just ping us at
team@s.d.o with either the intention, but then follow with debdiffs,
or propose the debdiff already. We will make a note in dsa-needed that
someone is working on an update. Do not self-assign entries in
dsa-needed as they are handled as who is releasing the DSA.
> 
> I assume adding no-dsa packages to dla-needed.txt is OK if they can be included
> in the next Buster point release? 

Do you mean dla-needed.txt really here? In any case If someone wants
to propose an update wich do not require a DSA and can be fixed in ap
oint release, there is no speicial coordination needed with the
security-team (thouch a CC would be appreciated in any case) and
simply the procedure for updtaing packages in stable and olstable can
be followed and propose the update to the Stable Release Managers.

But I assume you really meant here dla-needed as part of LTS
contributor's workflow to to mark interest in updating something in
buster?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: What are we supporting with LTS now? Please advice
  - From: Markus Koschany <apo@debian.org>

References:
- What are we supporting with LTS now? Please advice
  - From: Ola Lundqvist <ola@inguza.com>
- Re: What are we supporting with LTS now? Please advice
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: What are we supporting with LTS now? Please advice
Next by Date: Re: What are we supporting with LTS now? Please advice
Previous by thread: Re: What are we supporting with LTS now? Please advice
Next by thread: Re: What are we supporting with LTS now? Please advice
Index(es):
- Date
- Thread