As far as I understand all of those packages can be added into the dla-needed without pre-review? Why not just put all of them together.
OK, maybe with the short note "needs manual checking" or similar. Regards Anton Am Di., 17. Mai 2022 um 14:43 Uhr schrieb Sylvain Beucler <b...@beuc.net>: > > Hi, > > On 17/05/2022 08:44, Ola Lundqvist wrote: > > When doing triaging this week as part of the front desk assignment I > > realized that the lts-cve-triage.py script outputs the following > > section "Other issues to triage for stretch (not yet triaged for > > buster)" after "Issues postponed for stretch, but fixed in buster via > > DSA or point releases". > > > > I think people before me have missed to help with that triaging > > because that list of packages to check is long. At least it is easy to > > miss it. > > See https://lists.debian.org/debian-lts/2022/04/msg00011.html for > context. I also talked about it during the monthly meeting. > > "Issues postponed for stretch, but fixed in buster via DSA or point > releases" is a long section because it's new, it shouldn't stay that way. > > I'm not sure why the past few front-desk didn't tackle it already > despite the above communications, in any case I plan to tackle it during > my FD slot next week if nobody beats me to it. > > > > Now to the question. Do we generally wait for the Debian Security team > > to do their analysis before LTS do it? If that is the case, the > > current list makes sense. If not I think my proposed change should be > > done. > > > > I have done a change so that "Issues postponed for stretch, but fixed > > in buster via DSA or point releases" is much further down in the list > > because it is generally not so important for triaging work, compared > > to the other ones. > > > > Any objections? If not, I'll commit the change tomorrow. > > This section is where we are late compared to stable/oldstable, where > CVEs are already fixed and published in Debian, but not in Debian LTS, > sometimes months after. > > This sounds more urgent to me than checking untriaged CVEs, hence why > it's output before. So I'd keep the ordering as-is. > > Cheers! > Sylvain Beucler > Debian LTS Team >