Re: Expanding the scope (slightly) of dla-needed.txt

To: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: Re: Expanding the scope (slightly) of dla-needed.txt
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 25 Mar 2024 18:08:04 +0200
Message-id: <ZgGhZHwi5IOn8SY/@localhost>
In-reply-to: <[🔎] ZfNifbxAHGNiPgyh@connexer.com>
References: <[🔎] ZfNifbxAHGNiPgyh@connexer.com>

On Thu, Mar 14, 2024 at 04:47:57PM -0400, Roberto C. Sánchez wrote:
> Hello everyone,
> 
> I have discussed with Santiago the idea of whether we need to somewhat
> expand the scope of dla-needed.txt.
> 
> In essence, we need to continue tracking packages as in-work in some
> cases even after a DLA is released because we might be working with
> secteam, (O)SRM, and/or the maintainer on an upload to (old)stable.
> I think that in the past this has been handled somewhat informally
> (e.g., someone prepared a DLA and then even after the package was done
> from dla-needed.txt continued working on the (old)stable updates).
> However, for the sake of transparency and clarity we should be keeping
> track of this in some way.
>...
> - FD should be confirming that package removals from dla-needed.txt are
>   valid (i.e., that the package does not require any work towards an
>   upload to (old)stable)
>...

IMHO it would be a better approach if the coordinator would check this 
as part of the Weekly information, not different from other missing 
work like missing announcements or git tag.

For every CVE fixed in LTS last week one of the following should be true:
- package is not in stable, or
- CVE is marked as fixed in stable, or
- CVE is listed in data/next-point-update.txt, or
- package is in data/dsa-needed.txt assigned or with an offer to help from
  the person who did the DLA, or
- the CVE information in the security tracker gives a clear reason why
  no fix is required

The last two checks would have to be done manually by the coordinator,
but the first three could be automated.

The same check can be done for oldstable, using data/next-oldstable-point-update.txt

For fixes in ELTS, it could also be checked that a CVE is either fixed 
in LTS or the package in data/dla-needed.txt

Salsa issues would then be opened for the rare cases of missing work,
neither bloating dla-needed.txt nor duplicating information, and not
different from a missing git tag.

This would make the Weekly information even more the point (and deadline) 
where every contributor knows that some known checks will be run, which
also has the positive effect that people will do the work in time.

> Regards,
> 
> -Roberto

cu
Adrian

Reply to:

References:
- Expanding the scope (slightly) of dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Next by Date: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Previous by thread: Re: Expanding the scope (slightly) of dla-needed.txt
Next by thread: Re: [SECURITY] [DLA 3763-1] curl security update
Index(es):
- Date
- Thread