[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question and proposed change for lts-cve-triage.py

Hi Anton

That is a way to view it. Interesting point. Is this the common view?
I'm asking since:
- the list is long and it does not look like previous front desk did that.
- I thought postponed meant that there is no need for a DLA, but we can fix that later on when such a need appears.

I'm happy to do either way, but I want to do the right thing :-)

Cheers

// Ola

On Tue, 17 May 2022 at 15:37, Anton Gladky <gladk@debian.org> wrote:
As far as I understand all of those packages can be
added into the dla-needed without pre-review? Why not just
put all of them together.

OK, maybe with the short note "needs manual checking" or
similar.

Regards

Anton

Am Di., 17. Mai 2022 um 14:43 Uhr schrieb Sylvain Beucler <beuc@beuc.net>:
>
> Hi,
>
> On 17/05/2022 08:44, Ola Lundqvist wrote:
> > When doing triaging this week as part of the front desk assignment I
> > realized that the lts-cve-triage.py script outputs the following
> > section "Other issues to triage for stretch (not yet triaged for
> > buster)" after "Issues postponed for stretch, but fixed in buster via
> > DSA or point releases".
> >
> > I think people before me have missed to help with that triaging
> > because that list of packages to check is long. At least it is easy to
> > miss it.
>
> See https://lists.debian.org/debian-lts/2022/04/msg00011.html for
> context. I also talked about it during the monthly meeting.
>
> "Issues postponed for stretch, but fixed in buster via DSA or point
> releases" is a long section because it's new, it shouldn't stay that way.
>
> I'm not sure why the past few front-desk didn't tackle it already
> despite the above communications, in any case I plan to tackle it during
> my FD slot next week if nobody beats me to it.
>
>
> > Now to the question. Do we generally wait for the Debian Security team
> > to do their analysis before LTS do it? If that is the case, the
> > current list makes sense. If not I think my proposed change should be
> > done.
> >
> > I have done a change so that "Issues postponed for stretch, but fixed
> > in buster via DSA or point releases" is much further down in the list
> > because it is generally not so important for triaging work, compared
> > to the other ones.
> >
> > Any objections? If not, I'll commit the change tomorrow.
>
> This section is where we are late compared to stable/oldstable, where
> CVEs are already fixed and published in Debian, but not in Debian LTS,
> sometimes months after.
>
> This sounds more urgent to me than checking untriaged CVEs, hence why
> it's output before.  So I'd keep the ordering as-is.
>
> Cheers!
> Sylvain Beucler
> Debian LTS Team
>



--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to: