Upcoming changes in {d,e}la-needed.txt

To: debian-lts@lists.debian.org
Subject: Upcoming changes in {d,e}la-needed.txt
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 6 Jun 2025 13:30:13 -0400
Message-id: <[🔎] aEMlpS7NhFvuBy9X@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

Greetings everyone,

This message is meant to make you aware of some activity that you will
see from me in dla-needed.txt/ela-needed.txt in the coming days. My
original plan had been to simply start making some updates, but I
quickly realized that doing so unannounced was likely to cause some
confusion.

First, some background.

During the last monthly LTS meeting Emilio raised the issue of whether
we are being overly aggressive in our pursuit of no-dsa issues. This was
not the first time that this issue has been raised, and following the
meeting I initiated a mailing list discussion [0]. Some of the ensuing
discussion in that thread made it clear that this is a multi-faceted
issue with a not very simple solution. Sylvain observed that overall
package priority, in addition to individual CVE priority, should be
considered. Samuel pointed out that the default position of other
distros is to leave moderate and low severity issues unfixed in older
distros, unless specifically requested by a user. In addition to this
specific discussion thread, we have previously had feedback that our
aggressiveness in fixing many low priority issues is not viewed as
universally positive. This doesn't mean that we should refrain from
fixing issues because not everybody likes it, but should cause us to
question if our current approach is the best of all possibilities.

So, what does this mean and what am I (or what are we) going to do about
it?

It is clear that our current approach has grown somewhat organically,
and as a result it has perhaps grown to the point that we are not in the
right balance. After having pondered all of this for a while, and after
speaking at length with Santiago about this, I am of the opinion that we
need:

- to re-evaluate the packages currently listed in
  dla-needed.txt/ela-needed.txt to determine whether they really belong
  there; this is, if an immediate update is needed for those packages
- in the process of the above, I need to document some clearer criteria
  for how we treat priority/severity of individual CVEs and of packages
  (i.e., groups of CVEs)

To that end, in the coming days I plan to carefully review each package
that is presently listed in dla-needed.txt/ela-needed.txt, and each
package's related CVEs. Along the way I will write down the criteria
which will be used going forward (both by FD for initial triage and by
anyone else doing additional triage after claiming a package), and once
I have the documentation written I will prepare a MR and request reviews
by certain individuals whose input I specifically want (though I will
announce the MR to the whole team and anyone on the team will be welcome
to comment).

If I make any updates to dla-needed.txt/ela-needed.txt that affect a
package that you may be individually working on, or one that you may
have worked on at some point in the recent past, I will follow-up with
you individually via email.

Regards,

-Roberto

[0] https://lists.debian.org/debian-lts/2025/05/msg00073.html

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: [SECURITY] [DLA 4208-1] mariadb-10.5 security update
Next by Date: Re: How much no-dsa is too much no-dsa?
Previous by thread: Re: [SECURITY] [DLA 4208-1] mariadb-10.5 security update
Next by thread: Re: How much no-dsa is too much no-dsa?
Index(es):
- Date
- Thread