On Wed, Dec 11, 2024 at 02:35:00PM -0500, Roberto C. Sánchez wrote: > On Tue, Dec 10, 2024 at 01:45:49AM +0200, Adrian Bunk wrote: > > On Mon, Dec 09, 2024 at 07:22:30PM -0300, Santiago Ruano Rincón wrote: > > > > > > To be discussed. The issue with dla-needed (in its current form) and > > > bookworm point updates is that dla-needed is aimed at the LTS release. > > > > Current practice is that new DLAs are in dla-needed, and incomplete DLAs > > (e.g. missing git) are gitlab issues. > > > > Any DLA-fixed CVE that is fixed in bullseye but not in bookworm would > > have to come from a DLA during the past 3.5 months where the contributor > > failed to submit the fixes from a DLA to bookworm.[1] > > > > I would treat these as incomplete DLAs, where a gitlab issue should be > > created and assigned to the person who provided the DLA. > > > Only they aren't necessarily incomplete DLAs. >...
I thought submitting DLA fixes also to (old)stable was part of our job. I have done -pu uploads for 14 of my DLAs and DSAs for 5 of my DLAs this year so far. > For some, the DLA was > already published and completed and what was "missing" was an assist to > the maintainer and/or SRM to get an update for a point release. >... I have a hard time understanding what you are thinking when you write "an assist to the maintainer and/or the SRM". DLA, DSA and (old)stable-pu all work similar: You upload a package and you send an email. The email might be a release announcement (DLA), or a debdiff for review (DSA, pu). And there are some differences in the order between upload and email. I don't recall if I ever fixed the same CVE in all 6 releases from an NMU in sid down to jessie, but if that happened it was 6 uploads with 4 different ways to announce/submit. > Regards, > > -Roberto cu Adrian
