Re: Expanding the scope (slightly) of dla-needed.txt
Hello Roberto,
On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> Santiago and I are in agreement that at the moment the best available
> option is to use dla-needed.txt even for tracking work that needs to
> happen after the DLA is released, specifically working toward an upload
> to (old)stable.
Those processes can be quite long. So the entry in dla-needed might stay
around with lots of historical comments and with someone assigned that is
not actively doing anything on the package (waiting next
stable update or similar).
What happens then when a new CVE shows up for that package?
It might not show up for triaging by frontdesk because the package is
already listed... and the person assigned is not monitoring the list of
CVE of the packages since they are basically waiting the next point
release, or an answer from the security team, etc.
Thus I have fears that this change might end up with us missing to be
reactive on some updates.
Some alternative proposals to try to be constructive:
- add "foo/bullseye" or "foo/bookworm" entries to track separately the
work on other releases (you need to check how the triaging script
interact with that kind of entries)
- use salsa issues to track those (what happened to the experiment to use
salsa issues for regular updates BTW?)
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
Reply to: