Hey, On Tue, Jul 12, 2022 at 06:12:04PM +0200, Markus Koschany wrote: > Hi Ola, > > adding the security team to CC to get some feedback from them > > Am Dienstag, dem 12.07.2022 um 13:58 +0200 schrieb Ola Lundqvist: > > [...] > > We (as LTS team) are obviously not responsible for buster yet. > > > > But are we responsible for anything? It looks like we are in a limbo. > > > > What should I triage as front desk? > > - Stretch? > > - Buster? > > Stretch is EOL and Buster triaging is currently the responsibility of the > security team. What we still and always can do to support them is: > > - find more information about CVE > - update the security tracker with additional information, links to patches, > bug reports etc. > - file bug reports and inform Debian maintainers about vulnerable packages > > > - we just don't decide on the severity and whether a DSA will be announced, so > please don't mark the CVE as ignored, no-dsa, etc. for now
Correct, thanks. When in doupt about commiting then something about your findings in the tracker, feel free to ask the team alias as well. > @ security team > > Just to make sure. How can someone from the LTS team help with fixing packages > in dsa-needed.txt? What would be the correct procedure? If a security-team external contributor wants to contribute an update which is required as listed in dsa-needed, please just ping us at team@s.d.o with either the intention, but then follow with debdiffs, or propose the debdiff already. We will make a note in dsa-needed that someone is working on an update. Do not self-assign entries in dsa-needed as they are handled as who is releasing the DSA. > > I assume adding no-dsa packages to dla-needed.txt is OK if they can be > included > in the next Buster point release? Do you mean dla-needed.txt really here? In any case If someone wants to propose an update wich do not require a DSA and can be fixed in ap oint release, there is no speicial coordination needed with the security-team (thouch a CC would be appreciated in any case) and simply the procedure for updtaing packages in stable and olstable can be followed and propose the update to the Stable Release Managers. But I assume you really meant here dla-needed as part of LTS contributor's workflow to to mark interest in updating something in buster? Regards, Salvatore