Debian LTS and ELTS - February 2025
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- cacti
- Review and test candidates for DLA-4048-1 and DSA-5862-1 (by @rouca)
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
https://lists.debian.org/debian-security-announce/2025/msg00024.html
- Update Salsa-CI configuration for bullseye
https://salsa.debian.org/debian/cacti/-/blob/bullseye/debian/salsa-ci.yml
- Improve triage on security tracker (additional fixes, not-affected
versions)
- Find and report CVE-2025-26520 (missing fix)
https://github.com/Cacti/cacti/pull/6094
- Front-Desk (week 8)
- Mark 9 packages for update
- Triage or precise triage for <10 CVEs
- Harmonize golang-1.* triage
- Update and tidy work queue
- mariadb
- Review mariadb-10.5.28 and 10.11.11 (upcoming DLA and DSA by @otto)
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/20#note_588091
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/98#note_588102
- openvpn
- Review proposed update by @aquilamacedo
https://salsa.debian.org/aquilamacedo/openvpn/-/tree/debian/bullseye
ELTS
- pypy
- Massive triage work:
pypy is usually late on synchronizing python2's standard library.
Additionally pypy was not actively tracked wrt. python2 CVEs in Debian.
This required digging further in CVE history than usual, back to 2014(!).
- Fix part of the test suite, enough to ensure non-regression in
affected code. Also setup CI (Continuous Integration) on Salsa.
- Fix tests in current python2.7, to be merged in next ELA.
- Opt for a 2-step release: fix 20+ CVEs now, then help release
pending python2.7 ELAs, and sync pypy along (planned next month)
ELA-1322-1 and ELA-1323-1:
https://www.freexian.com/lts/extended/updates/ela-1322-1-pypy/
https://www.freexian.com/lts/extended/updates/ela-1323-1-pypy/
- Front-Desk (week 8)
- Fix-up triage following new supported packages: unhide 2 pending
packages and process 2025-01-07 skipped packages update
- Associate CVEs from newer, branched Debian packages with different
names to older ELTS packages (golang*, mariadb*, python*),
reference ansible/ansible-core split for future ELTS releases
- Mark 11 supported packages for update
- Triage or precise triage for >15 CVEs and packages
- Clean-up some obsolete CVE entries and improve tooling (see below)
- Update and tidy work queue
- activemq (follow-up to sponsored ELA-1308-1 upload last month)
- Coordinate moving Git data to the reference repository
https://gitlab.com/freexian/services/deblts-team/extended-lts/-/issues/215#note_2328966006
Documentation and tooling
- LTS Documentation
- TestSuites
- New package test pages for Cacti and PyPy:
https://lts-team.pages.debian.net/wiki/TestSuites/cacti.html
https://lts-team.pages.debian.net/wiki/TestSuites/pypy.html
- golang: update on mass-rebuilding issue status for reverse
dependencies, and propose guidelines update:
https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/16
- autopkgtest (testing tool): vastly improve and test VM
generation (QEMU-based); debugging techniques; minor fixes and
clarifications overall:
https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html
https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html#full-vm-environment-isolation-machine
- nginx: minor updates
https://lts-team.pages.debian.net/wiki/TestSuites/nginx.html
- HOWTO create an arm* VM for testing purposes: move from previously
private/ELTS documentation, this started in a loosely related
page, but eventually become an independent document worth sharing:
https://lts-team.pages.debian.net/howtos/arm-vm.html
- User-oriented pages fixes (wrong link, fix architectures list):
https://wiki.debian.org/LTS
https://lts-team.pages.debian.net/wiki/FAQ.html
- Clarify user-oriented and dev-oriented docs
https://lts-team.pages.debian.net/wiki/
- Development: reference and compare Salsa-based tooling with prior
documentation, minor reorganisation
https://lts-team.pages.debian.net/wiki/Development.html
- Private/ELTS documentation:
- CI: cover autodep8 current limitations
- Front-Desk duties: precise procedure for renamed packages, fix
minor bug in code snippet for handling newly supported packages
- Tooling
- lts-cve-triage.py: drop broken --skip-dla-needed option
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/bin/lts-cve-triage.py
- bin/elts-drop-obsolete: detect and drop emptied entries from
Debian security tracker, fix TEMP-XXX generation corner case
https://salsa.debian.org/freexian-team/extended-lts/security-tracker/-/blob/master/bin/elts-drop-obsolete
- Help around
- Help contributor with autopkgtest VM generation, eventually
reproduce and identify fix, update documentation with debugging
techniques (see above)
- Help end-user on dist-upgrade issue:
https://lists.debian.org/debian-lts/2025/02/msg00021.html
- Participate in LTS processes discussions
Automated checking for uploads and git tags after DSA/DLA
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/74#note_579616
- Jitsi meeting
Help take meeting notes, present golang topic
https://lists.debian.org/debian-lts/2025/02/msg00046.html
--
Sylvain Beucler
Debian LTS Team
Reply to: