[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revisiting some old DLAs



On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote:
> On Tue, Dec 10, 2024 at 01:45:49AM +0200, Adrian Bunk wrote:
> > On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote:
> > > 
> > > To be discussed. The issue with dla-needed (in its current form) and
> > > bookworm point updates is that dla-needed is aimed at the LTS release.
> > 
> > Current practice is that new DLAs are in dla-needed, and incomplete DLAs 
> > (e.g. missing git) are gitlab issues.
> > 
> > Any DLA-fixed CVE that is fixed in bullseye but not in bookworm would 
> > have to come from a DLA during the past 3.5 months where the contributor 
> > failed to submit the fixes from a DLA to bookworm.[1]
> > 
> > I would treat these as incomplete DLAs, where a gitlab issue should be 
> > created and assigned to the person who provided the DLA.
> > 
> Only they aren't necessarily incomplete DLAs.
>...

I thought submitting DLA fixes also to (old)stable was part of our job.

I have done -pu uploads for 14 of my DLAs and DSAs for 5 of my DLAs this 
year so far.

> For some, the DLA was
> already published and completed and what was "missing" was an assist to
> the maintainer and/or SRM to get an update for a point release.
>...

I have a hard time understanding what you are thinking when you write
"an assist to the maintainer and/or the SRM".

DLA, DSA and (old)stable-pu all work similar:
You upload a package and you send an email.

The email might be a release announcement (DLA),
or a debdiff for review (DSA, pu).

And there are some differences in the order between upload and email.

I don't recall if I ever fixed the same CVE in all 6 releases from an 
NMU in sid down to jessie, but if that happened it was 6 uploads with
4 different ways to announce/submit.

> Regards,
> 
> -Roberto

cu
Adrian


Reply to: