This page keeps track of various tasks that need to be handled.

Introduction

This page is intended to contain a list of tasks which, though they are not direct security work on packages, need to be completed and benefit the LTS effort (and likely also security work on Debian in general).

Guidance

If you begin to work on one of these items, please update this page to reflect the ongoing status. Additionally, if a "small" task begins to take more effort than might be considered reasonable or if the direction of work/solution is unclear, discuss the matter on the debian-lts mailing list.

Task: Try to minimise regressions using DEP-8 tests

Status Information

Description

autopkgtest (DEP-8) and ci.debian.net can help to prevent (certain) regressions. We could include/add tests on important packages with regular updates. At least, before uploading packages with tests, autopkgtest should be run using a jessie image (since running on a local unstable is not fully reliable).

TODO items

History

Task: Improve scripts to detect missing package assignments

Status Information

Description

There are many cases where a CVE should be assigned to multiple source packages (either because there are multiple copies of the same software, ex "tiff" and "tiff3", or because other source package are embedding the vulnerable software). It would be nice if our CVE triaging script could detect when we are missing some package assignments ...

There's data/embedded-code-copies in the security tracker but none of our scripts are using it at the moment.

See discussion starting at: https://lists.debian.org/debian-lts/2017/03/msg00177.html

Status: A PR was created. The security team raised some concerns, but it was not clear how this should proceed.

Task: automatically strip no-dsa tags by gen-DLA

Status Information

Description

Sometimes issues tagged no-dsa are fixed by an upload. In such cases the no-dsa tag currently has to removed manually from CVE/list. It would be more reliable and convinient to do this with bin/gen-DLA , which then would strip existing no-dsa tags for CVE IDs passed to the script.

Status: We do not have a convenient way of writing to the cvelist. The current parser strips required information as as such the results cannot be written back to a file without losing information.

Task: Implement script to dispatch frontdesk duties and document on tagging of unavailable weeks

Status Information

Description

The last manual and auto-assignment was not optimal. Someone (anyone) in the team or a script must distribute the FD duties. Previously to each dispatching, contributors need to tag their future unavailable weeks.

Task: Improve documentation on frontdesk work: Handling bugs tagged no-dsa in oldstable

Status Information

Description

The reasons for a no-dsa in stable could no apply 100% in oldstable (next-point-release, lack of manpower). We need to improve the frontdesk documentation to explain how we deal with no-dsa tags. We should not follow blindly the debian security no-dsa tags.

Task: DLAs on www.debian.org

Status Information

Description

DLAs are now visible on www.debian.org but there is still some manual work to be done and improved:

History

Task: Improve the security-tracker to not break salsa

Status Information

Description

fix https://bugs.debian.org/908678 so that the security-tracker doesn't break salsa.d.o (a.k.a. data/CVE/list is too big, though the security team doesnt want to split the file...)

Task: Find upstream developers who are willing to work on LTS support

Status Information

Description

For difficult packages (frequent security updates where backports are hard and require domain specific knowledge), we should try to identify upstream developers who are willing to do the backporting work. They could be paid by Freexian for the hours where we need them.

Possible packages where we might need such help:

Write a list of the persons identified somewhere and send the hourly rates of those persons to deblts@freexian.com.

History

Task: Improve tools to automatically unclaim a claimed package after 2 weeks

Status Information

Description

As per the discussion started in Message-ID: <87a7mjsm9y.fsf@curie.anarc.at>

Status:

Task: Implement script to identify <no-dsa> CVEs that should be fixed

Status Information

Description

The criteria for marking CVEs with <no-dsa> is slightly different for the Security team compared with the LTS team. For instance, stable and oldstable (when it is still the responsibility of the security team) have regular point releases. Thus, the security team can mark a CVE as <no-dsa> and defer the fix to a point release update. LTS has no point releases, so there are circumstances where that same CVE would be evaluated by the LTS team as needing a fix.

The differences in criteria and evolution of the releases over the lifecycle occasionally creates a situation where a particular CVE is fixed in LTS-1 (i.e., the previous LTS release) and in LTS+1 (i.e., oldstable as maintained by the Security Team) but that same CVE may be marked <no-dsa> in LTS.

The task, then, is to implement a script that identifies packages in the situation described above.

Task: port security-tracker python2 scripts to python3


CategoryLts