Re: following or getting ahead of Stable

To: Debian LTS Coordinator <lts-coordinator@freexian.com>
Cc: debian-lts@lists.debian.org
Subject: Re: following or getting ahead of Stable
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 11 Dec 2024 17:10:54 +0100
Message-id: <[🔎] 2cb625e7-6f9f-4842-bcca-6e55ff1f9594@beuc.net>
In-reply-to: <Z1mtB/9IacLmMvSN@localhost>
References: <[🔎] Z1O8m3wRwCIdNk40@localhost> <[🔎] 49627fd7-47f3-476c-b191-da701713c90f@beuc.net> <[🔎] 5950fdd0-5e5b-46a6-9e34-0b8ccaabd0d7@beuc.net> <Z1mtB/9IacLmMvSN@localhost>

Hi,

On 11/12/2024 16:17, Adrian Bunk wrote:

On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote:

On 09/12/2024 18:55, Sylvain Beucler wrote:

On 07/12/2024 04:10, Roberto C. Sánchez wrote:

The Security Team has supplied a list of packages/CVEs which were fixed
by DLA (some in bullseye and some in buster) but which remain unfixed in
bookworm (and which are tagged no-dsa, indicating that the Security Team
has no immediate plans to address them).


What is the general feeling/context over this situation?

- Does LTS fix too many mid/low CVEs, hence should prevent this
situation e.g. by avoiding fixing ahead of Stable?

- Or, does LTS fixes CVEs appropriately, hence is encouraged to fix more
CVEs, but always in all dists?


For more context: at a point LTS got negative feedback from Debian about
making too frequent DLAs for low-priority CVEs (resulting in more
maintenance/restart work for sysadmins around the globe), and negative
feedback from Freexian about making such releases instead of handling
packages with more severity or age.

Conversely, this thread is about fixing many low/mid-priority (no-dsa) CVEs,
and not in LTS but in Stable.

As a contributor, and as FD, I'm now unsure of what to include in DLAs.
...
So is it welcome to fix those low-priority (DoS) CVEs or should we wait?
...


"avoiding fixing ahead of Stable" or "should we wait" gives a wrong
impression of the options available.


That's not really my question.

I do know that there's a middle ground to find between strictlyfollowing Stable, and fixing ahead; usually by triggering correctiveaction when too many postponed CVEs piled-up, hinting at a Debianmanpower shortage (or a large set of low ubsan CVEs).

The DLA frequency is a documented criteria in:
https://lts-team.pages.debian.net/wiki/Development.html#initial-package-triage-for-lts
https://lts-team.pages.debian.net/wiki/Development.html#package-cve-evaluation

I was asking the coordinators really, to get a clearer direction,fine-tune this middle ground, and possibly get secteam's general feelingon this (since this is apparently at their initiative).

We're always fixing either too much or too few of these "Minor issues",clarifications would be appreciated.


So again, see my initial question:
>>> What is the general feeling/context over this situation?
>>> ...

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: following or getting ahead of Stable
  - From: Adrian Bunk <bunk@debian.org>

References:
- Revisiting some old DLAs
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Revisiting some old DLAs
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: following or getting ahead of Stable
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: following or getting ahead of Stable
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Re: following or getting ahead of Stable
Next by Date: Re: following or getting ahead of Stable
Previous by thread: Re: following or getting ahead of Stable
Next by thread: Re: following or getting ahead of Stable
Index(es):
- Date
- Thread