Question and proposed change for lts-cve-triage.py

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Question and proposed change for lts-cve-triage.py
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 17 May 2022 08:44:00 +0200
Message-id: <[🔎] CABY6=0k+NfUO0ZRe0-+WMCHzxh1ULXZjCY7dB6mBV+EzVtLBuw@mail.gmail.com>

Hi all

When doing triaging this week as part of the front desk assignment I
realized that the lts-cve-triage.py script outputs the following
section "Other issues to triage for stretch (not yet triaged for
buster)" after "Issues postponed for stretch, but fixed in buster via
DSA or point releases".

I think people before me have missed to help with that triaging
because that list of packages to check is long. At least it is easy to
miss it.

Now to the question. Do we generally wait for the Debian Security team
to do their analysis before LTS do it? If that is the case, the
current list makes sense. If not I think my proposed change should be
done.

I have done a change so that "Issues postponed for stretch, but fixed
in buster via DSA or point releases" is much further down in the list
because it is generally not so important for triaging work, compared
to the other ones.

Any objections? If not, I'll commit the change tomorrow.

Here is the diff.

ola@tigereye:~/git/security-tracker$ git diff bin/lts-cve-triage.py
diff --git a/bin/lts-cve-triage.py b/bin/lts-cve-triage.py
index d92163dc7d..b29680aac1 100755
--- a/bin/lts-cve-triage.py
+++ b/bin/lts-cve-triage.py
@@ -64,9 +64,6 @@ LIST_NAMES = (
     ('triage_possible_easy_fixes',
      ('Issues not yet triaged for {lts}, but already fixed in {next_lts}')
      .format(**RELEASES)),
-    ('triage_possible_missed_fixes',
-     ('Issues postponed for {lts}, but fixed in {next_lts} via DSA or
point releases')
-     .format(**RELEASES)),
     ('triage_other_not_triaged_in_next_lts',
      ('Other issues to triage for {lts} (not yet triaged for {next_lts})')
      .format(**RELEASES)),
@@ -75,6 +72,9 @@ LIST_NAMES = (
     ('unexpected_nodsa',
      ('Issues tagged no-dsa in {lts} that are open in {next_lts}')
      .format(**RELEASES)),
+    ('triage_possible_missed_fixes',
+     ('Issues postponed for {lts}, but fixed in {next_lts} via DSA or
point releases')
+     .format(**RELEASES)),
     ('possible_easy_fixes',
      ('Issues from dla-needed.txt that are already fixed in {next_lts}')
      .format(**RELEASES)),

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Question and proposed change for lts-cve-triage.py
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: [SECURITY] [DLA 3012-1] libxml2 security update
Next by Date: CVE-2020-8859 for elog, should we support it?
Previous by thread: Re: [SECURITY] [DLA 3012-1] libxml2 security update
Next by thread: Re: Question and proposed change for lts-cve-triage.py
Index(es):
- Date
- Thread