[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: following or getting ahead of Stable



Hi,

On 11/12/2024 16:17, Adrian Bunk wrote:
On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote:
On 09/12/2024 18:55, Sylvain Beucler wrote:
On 07/12/2024 04:10, Roberto C. Sánchez wrote:
The Security Team has supplied a list of packages/CVEs which were fixed
by DLA (some in bullseye and some in buster) but which remain unfixed in
bookworm (and which are tagged no-dsa, indicating that the Security Team
has no immediate plans to address them).

What is the general feeling/context over this situation?

- Does LTS fix too many mid/low CVEs, hence should prevent this
situation e.g. by avoiding fixing ahead of Stable?

- Or, does LTS fixes CVEs appropriately, hence is encouraged to fix more
CVEs, but always in all dists?

For more context: at a point LTS got negative feedback from Debian about
making too frequent DLAs for low-priority CVEs (resulting in more
maintenance/restart work for sysadmins around the globe), and negative
feedback from Freexian about making such releases instead of handling
packages with more severity or age.

Conversely, this thread is about fixing many low/mid-priority (no-dsa) CVEs,
and not in LTS but in Stable.

As a contributor, and as FD, I'm now unsure of what to include in DLAs.
...
So is it welcome to fix those low-priority (DoS) CVEs or should we wait?
...

"avoiding fixing ahead of Stable" or "should we wait" gives a wrong
impression of the options available.

That's not really my question.

I do know that there's a middle ground to find between strictly following Stable, and fixing ahead; usually by triggering corrective action when too many postponed CVEs piled-up, hinting at a Debian manpower shortage (or a large set of low ubsan CVEs).
The DLA frequency is a documented criteria in:
https://lts-team.pages.debian.net/wiki/Development.html#initial-package-triage-for-lts
https://lts-team.pages.debian.net/wiki/Development.html#package-cve-evaluation

I was asking the coordinators really, to get a clearer direction, fine-tune this middle ground, and possibly get secteam's general feeling on this (since this is apparently at their initiative).

We're always fixing either too much or too few of these "Minor issues", clarifications would be appreciated.

So again, see my initial question:
>>> What is the general feeling/context over this situation?
>>> ...

Cheers!
Sylvain


Reply to: