Re: Revisiting some old DLAs
On Fri, Dec 06, 2024 at 10:10:19PM -0500, Roberto C. Sánchez wrote:
> Hello everyone,
Hi Roberto,
> The Security Team has supplied a list of packages/CVEs which were fixed
> by DLA (some in bullseye and some in buster) but which remain unfixed in
> bookworm (and which are tagged no-dsa, indicating that the Security Team
> has no immediate plans to address them).
note that these are only the tip of the iceberg.
There are also packages that were DLA-fixed in buster and
pu-fixed or unstable-fixed in bookworm, but are unfixed
in bullseye despite being supported there.
Or older ones, that are e.g. fixed in jessie but not in stretch.
Is this something you or I or someone else should review?
>...
> I have done my best to carefully document for each package the CVE(s)
> which are involved. In the cases where a bullseye DLA is needed, I have
> also added the package to dla-needed.txt (along with a link to the
> related Salsa issue). For packages which were last updated in 2024, I
> have gone ahead and assigned the issue in Salsa to the same individual
> that prepared the last DLA. For older DLAs I did not do this, but rather
> tagged the individual or individuals who prepared the applicable DLAs.
>...
Can we please maintain this information in dla-needed only,
and not have different information in different places?
I initially missed this email, and noticed only quite late that a
package I picked in dla-needed was already supposed to be assigned.
If you consider a DLA incomplete due to missing upload to pu,
you could just assign it to the person who is supposed to fix it.
Or add it unassigned.
Everyone and all tooling is used to dla-needed containing the
authoritative information.
> Regards,
>
> -Roberto
cu
Adrian
BTW:
Regarding "different information in different places", I hope noone
makes the beginners mistake of assuming that the contents of a git
tree would match the contents in the archive without double-checking.
In a (different) package I had a problem with the bullseye upload, and
discovered that it was fixed in the buster DLA without being mentioned
in the changelog and without the change being in git.
This is normal when information is maintained in different places, and
I would put the blame fully on the person doing the next buster upload
of this package if this person blindly trusts the contents in git.
Reply to: