Hello, On Thu 12 Dec 2024 at 03:51am +02, Adrian Bunk wrote: > On Wed, Dec 11, 2024 at 07:19:50PM -0500, Roberto C. Sánchez wrote: >>... >> We can look at our various tasks as follows: >> >> - creation of a DLA (requires preparing the update, uploading the >> package, and making the announcement) >>... >> - additional work in support of stable (-sec or -pu) >>... > > There are two reasons why I object to calling this "additional work": > > > 1. The job should be to fix all (fixable) CVEs in all releases > > No matter whether it's understanding a CVE fix, testing a CVE fix, > or testing the package in general, if one person does all pending > work on a package for all releases in one block of work it's less > work than splitting it. > > > 2. Fixing should happen in order > > If I would fix a package in all 6 releases from sid to jessie, > I would start with sid, apply the changes there, and test this first. > > Then take the changes from sid to bookworm. > ... > > If there's some additional backporting work required in e.g. bullseye > I do that once there, and I will then automatically carry this further > when I go from bullseye to buster. > > When you fix something in bullseye that has already been fixed in buster, > you always have to check whether you want to backport or forwardport a > change by checking what you get in either direction. I think you're right in the general case, but it seems to me like Roberto was trying to deal with the fact that we only recently firmly decided to *always* (at least attempt to) work backwards all the way from sid, and as such, developed a backlog. In that case adding a whole pile of special dla-needed entries, which only in fact cover stable-pu and do not require a DLA, would probably just be confusing. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature