Re: following or getting ahead of Stable

To: Sylvain Beucler <beuc@beuc.net>
Cc: Debian LTS Coordinator <lts-coordinator@freexian.com>, debian-lts@lists.debian.org
Subject: Re: following or getting ahead of Stable
From: Adrian Bunk <bunk@debian.org>
Date: Wed, 11 Dec 2024 19:11:29 +0200
Message-id: <Z1nHwbmCLrlfN/9h@localhost>
In-reply-to: <[🔎] 2cb625e7-6f9f-4842-bcca-6e55ff1f9594@beuc.net>
References: <[🔎] Z1O8m3wRwCIdNk40@localhost> <[🔎] 49627fd7-47f3-476c-b191-da701713c90f@beuc.net> <[🔎] 5950fdd0-5e5b-46a6-9e34-0b8ccaabd0d7@beuc.net> <Z1mtB/9IacLmMvSN@localhost> <[🔎] 2cb625e7-6f9f-4842-bcca-6e55ff1f9594@beuc.net>

On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote:
> Hi,
> 
> On 11/12/2024 16:17, Adrian Bunk wrote:
> > On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote:
> > > On 09/12/2024 18:55, Sylvain Beucler wrote:
> > > > On 07/12/2024 04:10, Roberto C. Sánchez wrote:
> > > > > The Security Team has supplied a list of packages/CVEs which were fixed
> > > > > by DLA (some in bullseye and some in buster) but which remain unfixed in
> > > > > bookworm (and which are tagged no-dsa, indicating that the Security Team
> > > > > has no immediate plans to address them).
> > > > 
> > > > What is the general feeling/context over this situation?
> > > > 
> > > > - Does LTS fix too many mid/low CVEs, hence should prevent this
> > > > situation e.g. by avoiding fixing ahead of Stable?
> > > > 
> > > > - Or, does LTS fixes CVEs appropriately, hence is encouraged to fix more
> > > > CVEs, but always in all dists?
> > > 
> > > For more context: at a point LTS got negative feedback from Debian about
> > > making too frequent DLAs for low-priority CVEs (resulting in more
> > > maintenance/restart work for sysadmins around the globe), and negative
> > > feedback from Freexian about making such releases instead of handling
> > > packages with more severity or age.
> > > 
> > > Conversely, this thread is about fixing many low/mid-priority (no-dsa) CVEs,
> > > and not in LTS but in Stable.
> > > 
> > > As a contributor, and as FD, I'm now unsure of what to include in DLAs.
> > > ...
> > > As FD I decided not to add it to dla-needed.txt, waiting for Stable action
> > > to follow, e.g. a point-update.
> > > ...
> > > So is it welcome to fix those low-priority (DoS) CVEs or should we wait?
> > > ...
> > 
> > "avoiding fixing ahead of Stable" or "should we wait" gives a wrong
> > impression of the options available.
> 
> That's not really my question.
>...
> I was asking the coordinators really, to get a clearer direction, fine-tune
> this middle ground,

But this has to be an immediate yes/no decision.

My point was that "waiting for Stable action to follow, e.g. a point-update"
is not a reasonable option.

Where to put the border between "yes" and "no" is not something
I commented on.

> and possibly get secteam's general feeling on this (since
> this is apparently at their initiative).
>...

My understanding is that they were providing a list of packages/CVEs 
where LTS contributors failed to submit fixes for DLA-fixed CVEs to
bookworm-pu.

That's a different topic.

> Cheers!
> Sylvain

cu
Adrian

Reply to:

Follow-Ups:
- Re: is fixing all low-severity CVEs welcome by Debian?
  - From: Sylvain Beucler <beuc@beuc.net>

References:
- Revisiting some old DLAs
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Revisiting some old DLAs
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: following or getting ahead of Stable
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: following or getting ahead of Stable
  - From: Adrian Bunk <bunk@debian.org>
- Re: following or getting ahead of Stable
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: following or getting ahead of Stable
Next by Date: Re: Revisiting some old DLAs
Previous by thread: Re: following or getting ahead of Stable
Next by thread: Re: is fixing all low-severity CVEs welcome by Debian?
Index(es):
- Date
- Thread