Re: How to handle freeimage package

To: Ola Lundqvist <ola@inguza.com>
Cc: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: Re: How to handle freeimage package
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 12 Apr 2024 10:24:49 +0200
Message-id: <[🔎] Zhjv0URwnLYcHgAE@t14-buxy.home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Ola Lundqvist <ola@inguza.com>, Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] CABY6=0=j-G7GcRqVYcUjcbWXWhsVRacQHGHRjZC2bjBh9TknrQ@mail.gmail.com>
References: <[🔎] ZhbK_dIHjUsPYohQ@connexer.com> <[🔎] CABY6=0=fdjw1k7jVOqGVp6JzP4UEx8w2iJKmBe4N_GGoRrkURw@mail.gmail.com> <[🔎] Zhcv4jT7Err0GxJb@pokemon> <[🔎] CABY6=0keU-Q8dxoAMRSMMTaNpG1q7+C2+soqn7q+a8-u81G0dA@mail.gmail.com> <[🔎] Zhfm1Ybrkfxe_pzW@pokemon> <[🔎] CABY6=0=d2GRaCkxgmC-4CLVwNfNd6rVhtpHu9voa314Vp9HfEw@mail.gmail.com> <[🔎] ZhhMBCV6Kew1+QD3@localhost> <[🔎] CABY6=0k8340y7dJLiQti5YFdKxW7uX=9u8GJ5OB2OWAT5eiymA@mail.gmail.com> <[🔎] ZhhpaWu-DUmnxfZM@localhost> <[🔎] CABY6=0=j-G7GcRqVYcUjcbWXWhsVRacQHGHRjZC2bjBh9TknrQ@mail.gmail.com>

Hello Ola,

On Fri, 12 Apr 2024, Ola Lundqvist wrote:
> I see three:
> 1) copy secteam decision and move on to the next package (I guess
> remove from dla-needed)
> 2) copy secteam decision for most of them, but fix the ones with fedora patches
> 3) dive in and start developing (that will take quite a lot of effort)
> 
> I think we should do 1 or 2 as a start. Based on all other discussions
> I'm not sure what a "consensus decision" would be.

Most of your reasoning was about "we can't fix everything as we don't have
enough resources" so we must make judgment calls and decide based on
priorities.

But here the call is relatively easy to make if you take the time to
include the data from ELTS on top of the data from LTS.

* We have an ELTS customer with this package
* There are plenty of work hours available in ELTS
* The security team has suggested we open upstream bug reports and start
  to push fixes

So please let's move on and get onto real security work. All LTS/ELTS
contributors are expected to be skilled programmers to be able to develop
fixes and submit them upstream.

Thank you.
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

Reply to:

Follow-Ups:
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: How to handle freeimage package
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>
- Re: How to handle freeimage package
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>
- Re: How to handle freeimage package
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>
- Re: How to handle freeimage package
  - From: Adrian Bunk <bunk@debian.org>
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>
- Re: How to handle freeimage package
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: How to handle freeimage package
Previous by thread: Re: How to handle freeimage package
Next by thread: Re: How to handle freeimage package
Index(es):
- Date
- Thread