Hi, On 17/05/2022 08:44, Ola Lundqvist wrote:
When doing triaging this week as part of the front desk assignment I realized that the lts-cve-triage.py script outputs the following section "Other issues to triage for stretch (not yet triaged for buster)" after "Issues postponed for stretch, but fixed in buster via DSA or point releases". I think people before me have missed to help with that triaging because that list of packages to check is long. At least it is easy to miss it.
See https://lists.debian.org/debian-lts/2022/04/msg00011.html for context. I also talked about it during the monthly meeting.
"Issues postponed for stretch, but fixed in buster via DSA or point releases" is a long section because it's new, it shouldn't stay that way.
I'm not sure why the past few front-desk didn't tackle it already despite the above communications, in any case I plan to tackle it during my FD slot next week if nobody beats me to it.
Now to the question. Do we generally wait for the Debian Security team to do their analysis before LTS do it? If that is the case, the current list makes sense. If not I think my proposed change should be done. I have done a change so that "Issues postponed for stretch, but fixed in buster via DSA or point releases" is much further down in the list because it is generally not so important for triaging work, compared to the other ones. Any objections? If not, I'll commit the change tomorrow.
This section is where we are late compared to stable/oldstable, where CVEs are already fixed and published in Debian, but not in Debian LTS, sometimes months after.
This sounds more urgent to me than checking untriaged CVEs, hence why it's output before. So I'd keep the ordering as-is.
Cheers! Sylvain Beucler Debian LTS Team