Re: Revisiting some old DLAs
On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote:
> On Tue, Dec 10, 2024 at 01:45:49AM +0200, Adrian Bunk wrote:
> > On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote:
> > >
> > > To be discussed. The issue with dla-needed (in its current form) and
> > > bookworm point updates is that dla-needed is aimed at the LTS release.
> >
> > Current practice is that new DLAs are in dla-needed, and incomplete DLAs
> > (e.g. missing git) are gitlab issues.
> >
> > Any DLA-fixed CVE that is fixed in bullseye but not in bookworm would
> > have to come from a DLA during the past 3.5 months where the contributor
> > failed to submit the fixes from a DLA to bookworm.[1]
> >
> > I would treat these as incomplete DLAs, where a gitlab issue should be
> > created and assigned to the person who provided the DLA.
> >
> Only they aren't necessarily incomplete DLAs.
>...
I thought submitting DLA fixes also to (old)stable was part of our job.
I have done -pu uploads for 14 of my DLAs and DSAs for 5 of my DLAs this
year so far.
> For some, the DLA was
> already published and completed and what was "missing" was an assist to
> the maintainer and/or SRM to get an update for a point release.
>...
I have a hard time understanding what you are thinking when you write
"an assist to the maintainer and/or the SRM".
DLA, DSA and (old)stable-pu all work similar:
You upload a package and you send an email.
The email might be a release announcement (DLA),
or a debdiff for review (DSA, pu).
And there are some differences in the order between upload and email.
I don't recall if I ever fixed the same CVE in all 6 releases from an
NMU in sid down to jessie, but if that happened it was 6 uploads with
4 different ways to announce/submit.
> Regards,
>
> -Roberto
cu
Adrian
Reply to: