[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LTS Meeting Notes



Hi Everyone,

Here are the notes from the recent monthly LTS contributor meetings.
(With my apologies for the delay in sending this out.)

Agenda:

- Roll Call
  + "Presents" below

- New team members:
  + No new team members

- Action item review: (Roberto)
  + Action: Clarify guidance on unstable and stable updates
    * Assignee: roberto
    * Result: Updated the FAQ in our internal team docs; sent message to internal mailing list
  + Action: Revisit our no-dsa policy
    * Assignee: roberto
    * Result: https://lists.debian.org/debian-lts/2025/05/msg00073.html
    * Also currently revisiting Xla-needed.txt as announced on list;
      this will result in documentation updates for FD and contributors
      (both are contributing to CVE triage). Also what to do when
      looking for work depending on amount of available time and skills
      vs. package complexity.

- Featured issue(s) of the month: (Roberto)
  + DebCamp25: Security Tracker Sprint, issue list:
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/87
  + DebCamp 25 Security Tracker sprint - planning announcement:
    https://lists.debian.org/debian-lts/2025/05/msg00055.html
  + Please follow the "rules of engagement" section if you intend to
    participate, even remotely

- Discussion about how to solve CVEs in firmware-nonfree
  + debian-kernel already had a meeting and discussed it:
  + https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-10-30-20.00.html

- Reminders: (Roberto)
  + Ensure <not-affected> triage is applied correctly (i.e., notes
    introducing/fixing commits)
  + Add explanatory notes, notably introductory commit, PoC link if not
    already
  + rouca: idea: try to link somewhat automatically (algorithm, AI, ...)
    with sources.debian.org; maybe start initial discussion during
    DebCamp

- DebCamp25 Security Tracker Sprint: (Roberto)
  + Only 6 confirmed participants, 2 not regular contributors
  + Reminder: announce your involvement (cf. issue of the month above)
  + Roberto not able to come in person this year but will participate remotely
  + Focused on security tracker, but not only
  + During the full debcamp week, not specific days, depending on when
    contributors have time

- ELTS arm* porterbox/lab to investigate buildd failures (Beuc)
  + ELTS dists not available in Debian porterboxes
  + debvm (qemu): 10-20x slower due to arm-on-amd64 emulation; not
    exactly the same hardware anyway and fails differently; many more
    timeout-related issues
  + specific buildd setup (sbuild, overlayfs, different kernels...) hard
    to identify and reproduce; many hours spent on making and testing
    hypothesis when trying to figure out ARM build or test failures
    * Action: [santiago] ask Freexian about the feasibility to have
      porterboxes for ELTS archs. Include in the inquiry the question of
      whether we try to have porterboxes for all possible hardware
      variations, only the most common, or something in between.
      # Internal issue filed.
    * Beware that debian porter/buildd was updated since stretch, beware
      of forward compatibility of box. Trixie porter box are maybe the
      most suitable for stretch.

- Discussion: <no-dsa> CVEs and upload conflict (Roberto/Santiago)
  + Detailed process discussion (Guilhem)
  + The security team (jmm) says we can use
    security-tracker:data/next-point-update.txt file (specific to track
    the pending SPU uploads), to notify the security-team that an update
    is in progress by us to fix <no-dsa> issues, *even if SRM didn't
    accept the update yet*. This is to avoid conflict with the security
    team if they also prepare an update and didn't notice all the current
    WIP PU.
  + We could also file a bug against the package we're update to ensure
    there's awareness, for the maintainer and the security team, as soon
    as our work starts (may be using a specific user tag ?)
  + Action: [guilhem] propose an MR with detailed guidance on
    data/next-point-update.txt

- Debusine-based workflows (Santiago)
  + Does Debusine r-deps autopkgtests support comparing with the
    previous version of the package? Something like what we have in the
    elts-staging + britney2 (Charles)
    * No reference test yet, it is ongoing work; maybe in September;
      great for LTS since we don't have that tooling at all (unlike
      ELTS)
  + Reminder: Debusine beta for LTS and ELTS workflow
  + Signing issue raised last month (requiring to sign binary packages)
    was recently fixed, only source package needs to be signed for ELTS
    now
  + We could discuss this further in the LTS BoF

- AOB
  + firmware package (tobi): special package, non-free, requires
    different approach to fixing CVEs, tied to the kernel itself,
    security-team is considering options such as cherry-picking.
  + Same for firmware like package like ca-certificates, that need
    update directly from sid. Beware no CVEs issued for certificates
    issue.
    * similar to tzdata as well. Tzdata update is known to break
      testsuite (like postgres or mariaDB)
  + Setup KGB in #debian-lts for MRs and issues in
    lts-team/lts-team.pages.debian.net (Charles)
    * ACTION: charles send message to debian-lts@
  + Reminder: we have a LTS BoF during DebCONF to discuss ideas/issues
    in person
    * We can prepare an agenda
      https://pad.dc25.debconf.org/p/106-debian-lts-bof

- Next meeting: 2025-07-24 [Location: #debian-lts on IRC]
  + Decide if we maintain that meeting depending on the BoF

Present:
Roberto
Beuc
Thorsten Alteholz
guilhem
Lucas Kanashiro
Faidon Liambotis
tobi
Santiago
rouca
Lee
Jochen
Charles
Paride

Apologies:
Adrian
Helmut


-- 
Roberto C. Sánchez


Reply to: