LTS meeting notes - April

To: debian-lts@lists.debian.org
Subject: LTS meeting notes - April
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 25 Apr 2025 16:30:24 -0400
Message-id: <[🔎] aAvw4I0th2LMabi3@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

Hello everyone,

Here are the notes from the April LTS contributor meeting:

- Roll Call

- New team members: (no new team members in the past month)

- Action item review: (Roberto)
  + Action: (a) update the team docs to make this [package claim/note policy] a bit more clear, and (b) write an issue (in lts-extra-tasks) for implementing an automated package claim age check + associated notifications?
  + Assignee: Beuc
  + Result: https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/18 https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/85

- Tasks in the lts-extra-tasks project
  + Feel free to contribute to lts-extra-tasks when doing LTS/ELTS hours (up to 25%)
  + There are numerous pending issues (for tooling improvements, infrastructure, documentation, etc.)
  + If you find yourself looking for something to do and there are no packages available to work on, then consider looking at these issues

- Debusine-based workflows (Santiago)
  + Testing upload-to-unstable or upload-to-experimental workflows in debusine.d.n is welcome!
  + Looking for beta-testers
  + cf. mail on deblts-team@
  + Goal: better CI / identify regressions; being able to upload to bookworm/bookworm-security, from debusine
  + debusine is starting to take shape; already used to attempt mass-rebuilds / migration tests (e.g. cmake-related changes recently)

- Fast CVE triage history https://lists.debian.org/debian-lts/2025/04/msg00018.html (Beuc)
  + Specifically trying to address the slowness of git blame on data/CVE/list in the security tracker
  + Quick git blame is useful for LTS work, especially for FD tasks
  + Looking for people to test drive the prototype implementation by Beuc: https://salsa.debian.org/beuc/cvehist
  + Please provide feedback, suggestions, etc.
  + Could this approach become the canonical source of truth and then the concatenated CVE list be generated when needed?

- Security Tracker sprint for DebCamp25
  + The event is registered: https://debconf25.debconf.org/talks/108-security-tracker-sprint/
  + I am working on the execution plan, which I will send out for review/comment when it is ready (next week)
  + A more detailed plan will be released next week; ideally with tasks that can be attributed to attendees in advance
  + Checking if we make sure we have enough funded hours to do the sprint without impacting the daily LTS/ELTS security work
  + Even if coming a few hours per day, it would be useful, no need to attend the full sprint

- Adjustments for July meeting? (roberto)
  + DebCamp and DebConf run 7-13 July and 14-20 July, respectively
  + There will be a Security Tracker sprint during DebCamp (involving mostly LTS people)
  + Santiago will be hosting a LTS BoF during DebConf
  + At present, the July meeting is scheduled for the 24th
  + Will enough people be able to participate in the BoF (in person or virtually), that we want to consider it in lieu of the meeting?
  + The meeting can remain on the schedule for now, and the decision to cancel can be made at the end of the BoF

- Debian 11 and 12 ELTS: packages with complex security support (santiago)
  - Request for input: when working on complex packages during LTS/ELTS work, please report packages that may be very difficult to support
    * rouca: JavaScript/nodejs ecosystem is expanding and it will be difficult to handle; key packages will be EOL? E.g. twitter-bootstrap, EOLd versions used upstream. ckeditor[v4] EOL'd/proprietary, not v5 (Beuc)
    * rouca: Apache2 (issues with upstream?)?
    * lee: Samba needs to work against a wide range of Windows installations, and integration tests currently cannot cover that.
    * rouca: static linking / vendoring in general
    * rouca: pushing last stable branches to stable right now (doing that for Ruby) (tobi also doing that for freerdp2 and zabbix, but for the latter sec teams seems to be reluctant...)
  - Discuss this in the issues: https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/81
https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/84

- AOB:
  + Pre-announcement: contract with Invisible Things Lab to support Xen
  + rouca: help with embargoe'd issue related to 32bit/sobump transitions

- Next meeting: 2025-05-22 14:00 UTC [Location: #debian-lts on IRC]

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: What pain points exist in the current security-tracker structure?
Next by Date: Re: What pain points exist in the current security-tracker structure?
Previous by thread: linux-image-6.1-* in Debian Bookworm
Next by thread: CVE-2025-27773 / #1100595 / Re: simplesamlphp 2.x for trixie? (Re: Bug#1088816: Current version not supported)
Index(es):
- Date
- Thread