Tracking buster/stable updates suited for LTS

To: debian-lts@lists.debian.org
Subject: Tracking buster/stable updates suited for LTS
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 20 Apr 2022 17:08:20 +0200
Message-id: <[🔎] 20220420150820.GA22960@mail.beuc.net>

Hi,

During my last front-desk week I noticed that we tend to miss or delay
some buster security updates, in particular those that come in point
releases, and a few batches of minor postponed fixes.  See for
instance, 'dpdk' [1] or 'mailman' [2].

Attached is a patch to 'bin/lts-cve-triage.py' to help exhibit those
updates so we schedule them in dla-needed.txt.  This includes fixes
from stable/oldstable point releases or past DSAs, but excludes issues
explicitly ignored, and old fixes from back when buster was unstable.

The current output is manageable (40-50 packages), and I plan to trim
it further down by properly tagging <ignored> some no-dsa issues that
are not meant to be fixed in stretch (see e.g. 'ark' [3]), and tagging
<end-of-life> a few others (e.g. 'node-*').

At this point front-desk can proceed as usual using the enhanced
'lts-cve-triage.py' output.  Front-desk may need to use 'no-dsa'
sparingly in the future, in favor of its 'postponed' and 'ignored'
sub-states [4], so as to better help the tool.

What do you think?

Cheers!
Sylvain Beucler
Debian LTS Team

[1] https://security-tracker.debian.org/tracker/source-package/dpdk
[2] https://security-tracker.debian.org/tracker/source-package/mailman
[3] https://security-tracker.debian.org/tracker/source-package/ark
[4] https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory

Reply to:

Follow-Ups:
- Re: Tracking buster/stable updates suited for LTS
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: How to handle gpac?
Next by Date: Re: Tracking buster/stable updates suited for LTS
Previous by thread: Re: How to handle gpac?
Next by thread: Re: Tracking buster/stable updates suited for LTS
Index(es):
- Date
- Thread