LTS Meeting Notes
Hi Everyone,
Here are the notes from the recent monthly LTS contributor meetings.
(With my apologies for the delay in sending this out.)
Agenda:
- Roll Call
+ "Presents" below
- New team members:
+ No new team members
- Action item review: (Roberto)
+ Action: Clarify guidance on unstable and stable updates
* Assignee: roberto
* Result: Updated the FAQ in our internal team docs; sent message to internal mailing list
+ Action: Revisit our no-dsa policy
* Assignee: roberto
* Result: https://lists.debian.org/debian-lts/2025/05/msg00073.html
* Also currently revisiting Xla-needed.txt as announced on list;
this will result in documentation updates for FD and contributors
(both are contributing to CVE triage). Also what to do when
looking for work depending on amount of available time and skills
vs. package complexity.
- Featured issue(s) of the month: (Roberto)
+ DebCamp25: Security Tracker Sprint, issue list:
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/87
+ DebCamp 25 Security Tracker sprint - planning announcement:
https://lists.debian.org/debian-lts/2025/05/msg00055.html
+ Please follow the "rules of engagement" section if you intend to
participate, even remotely
- Discussion about how to solve CVEs in firmware-nonfree
+ debian-kernel already had a meeting and discussed it:
+ https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-10-30-20.00.html
- Reminders: (Roberto)
+ Ensure <not-affected> triage is applied correctly (i.e., notes
introducing/fixing commits)
+ Add explanatory notes, notably introductory commit, PoC link if not
already
+ rouca: idea: try to link somewhat automatically (algorithm, AI, ...)
with sources.debian.org; maybe start initial discussion during
DebCamp
- DebCamp25 Security Tracker Sprint: (Roberto)
+ Only 6 confirmed participants, 2 not regular contributors
+ Reminder: announce your involvement (cf. issue of the month above)
+ Roberto not able to come in person this year but will participate remotely
+ Focused on security tracker, but not only
+ During the full debcamp week, not specific days, depending on when
contributors have time
- ELTS arm* porterbox/lab to investigate buildd failures (Beuc)
+ ELTS dists not available in Debian porterboxes
+ debvm (qemu): 10-20x slower due to arm-on-amd64 emulation; not
exactly the same hardware anyway and fails differently; many more
timeout-related issues
+ specific buildd setup (sbuild, overlayfs, different kernels...) hard
to identify and reproduce; many hours spent on making and testing
hypothesis when trying to figure out ARM build or test failures
* Action: [santiago] ask Freexian about the feasibility to have
porterboxes for ELTS archs. Include in the inquiry the question of
whether we try to have porterboxes for all possible hardware
variations, only the most common, or something in between.
# Internal issue filed.
* Beware that debian porter/buildd was updated since stretch, beware
of forward compatibility of box. Trixie porter box are maybe the
most suitable for stretch.
- Discussion: <no-dsa> CVEs and upload conflict (Roberto/Santiago)
+ Detailed process discussion (Guilhem)
+ The security team (jmm) says we can use
security-tracker:data/next-point-update.txt file (specific to track
the pending SPU uploads), to notify the security-team that an update
is in progress by us to fix <no-dsa> issues, *even if SRM didn't
accept the update yet*. This is to avoid conflict with the security
team if they also prepare an update and didn't notice all the current
WIP PU.
+ We could also file a bug against the package we're update to ensure
there's awareness, for the maintainer and the security team, as soon
as our work starts (may be using a specific user tag ?)
+ Action: [guilhem] propose an MR with detailed guidance on
data/next-point-update.txt
- Debusine-based workflows (Santiago)
+ Does Debusine r-deps autopkgtests support comparing with the
previous version of the package? Something like what we have in the
elts-staging + britney2 (Charles)
* No reference test yet, it is ongoing work; maybe in September;
great for LTS since we don't have that tooling at all (unlike
ELTS)
+ Reminder: Debusine beta for LTS and ELTS workflow
+ Signing issue raised last month (requiring to sign binary packages)
was recently fixed, only source package needs to be signed for ELTS
now
+ We could discuss this further in the LTS BoF
- AOB
+ firmware package (tobi): special package, non-free, requires
different approach to fixing CVEs, tied to the kernel itself,
security-team is considering options such as cherry-picking.
+ Same for firmware like package like ca-certificates, that need
update directly from sid. Beware no CVEs issued for certificates
issue.
* similar to tzdata as well. Tzdata update is known to break
testsuite (like postgres or mariaDB)
+ Setup KGB in #debian-lts for MRs and issues in
lts-team/lts-team.pages.debian.net (Charles)
* ACTION: charles send message to debian-lts@
+ Reminder: we have a LTS BoF during DebCONF to discuss ideas/issues
in person
* We can prepare an agenda
https://pad.dc25.debconf.org/p/106-debian-lts-bof
- Next meeting: 2025-07-24 [Location: #debian-lts on IRC]
+ Decide if we maintain that meeting depending on the BoF
Present:
Roberto
Beuc
Thorsten Alteholz
guilhem
Lucas Kanashiro
Faidon Liambotis
tobi
Santiago
rouca
Lee
Jochen
Charles
Paride
Apologies:
Adrian
Helmut
--
Roberto C. Sánchez
Reply to: