[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issues fixed in buster and bookworm but not in bullseye

On Wed, Sep 24, 2025 at 08:52:13PM +0530, Utkarsh Gupta wrote:
> Hi Sylvain, Roberto,
> 
> On Wed, Jul 30, 2025 at 12:44 PM Sylvain Beucler <beuc@beuc.net> wrote:
> > So, most of the remaining 23 packages, especially as it's only 1-2 CVEs
> > for each package, and especially when they are not sponsored, are very
> > low-priority.
> 
> Apologies - just trying to close this thread..
> 
> So are we OK with the regression story on upgrades if they're not
> sponsored? Whilst I still feel a bit odd about it, I don't know what
> the best economic path forward is. Should we put this in our backlog?
> Should 1 (or 2) person try to fix them all without adding load to the
> queue and the team? Or are we OK to simply ignore them?
> 
I don't think that we 'simply ignore them'. Rather, we prioritize based
on our normal CVE triage guidelines, also taking into account the
severity of the CVE in question and the impact of an upgrade regression.

> And on the second thread, which got started, can we remind folks to
> use 25% of their time and fix issues for bookworm (via p-u), which
> have been fixed via DLA for bullseye?
> 
I don't think that these updates would fall under the '25% rule'. That
is, they are security updates* rather than non-update work (e.g.,
documentation, tooling, support, etc.)

Regards,

-Roberto

* yes, they target stable in this case rather than LTS, but they are
  still security updates

-- 
Roberto C. Sánchez
Reply to: