Re: Expanding the scope (slightly) of dla-needed.txt
On Thu, Mar 14, 2024 at 04:47:57PM -0400, Roberto C. Sánchez wrote:
> Hello everyone,
>
> I have discussed with Santiago the idea of whether we need to somewhat
> expand the scope of dla-needed.txt.
>
> In essence, we need to continue tracking packages as in-work in some
> cases even after a DLA is released because we might be working with
> secteam, (O)SRM, and/or the maintainer on an upload to (old)stable.
> I think that in the past this has been handled somewhat informally
> (e.g., someone prepared a DLA and then even after the package was done
> from dla-needed.txt continued working on the (old)stable updates).
> However, for the sake of transparency and clarity we should be keeping
> track of this in some way.
>...
> - FD should be confirming that package removals from dla-needed.txt are
> valid (i.e., that the package does not require any work towards an
> upload to (old)stable)
>...
IMHO it would be a better approach if the coordinator would check this
as part of the Weekly information, not different from other missing
work like missing announcements or git tag.
For every CVE fixed in LTS last week one of the following should be true:
- package is not in stable, or
- CVE is marked as fixed in stable, or
- CVE is listed in data/next-point-update.txt, or
- package is in data/dsa-needed.txt assigned or with an offer to help from
the person who did the DLA, or
- the CVE information in the security tracker gives a clear reason why
no fix is required
The last two checks would have to be done manually by the coordinator,
but the first three could be automated.
The same check can be done for oldstable, using data/next-oldstable-point-update.txt
For fixes in ELTS, it could also be checked that a CVE is either fixed
in LTS or the package in data/dla-needed.txt
Salsa issues would then be opened for the rare cases of missing work,
neither bloating dla-needed.txt nor duplicating information, and not
different from a missing git tag.
This would make the Weekly information even more the point (and deadline)
where every contributor knows that some known checks will be run, which
also has the positive effect that people will do the work in time.
> Regards,
>
> -Roberto
cu
Adrian
Reply to: