On Fri, Jun 13, 2014 at 03:39:59PM +0200, Moritz Mühlenhoff wrote: > On Fri, Jun 13, 2014 at 03:15:31PM +0200, Holger Levsen wrote: > > Hi, > > > > On Freitag, 13. Juni 2014, Raphael Hertzog wrote: > > > Please review the attached draft, share your comments and let me know if I > > > missed your company. > > > > I don't like the focus / expressed view that LTS is made possible by > > sponsoring organisations rather than volunteers. I think it sets a bad > > precedence. > > * There have been five updates so far: > https://lists.debian.org/debian-lts-announce/2014/06/threads.html > 3/5 have been released by existing security team members and we've always > stated that we help to get this started, but it needs to be self-hosting > service
I was under the impression that security team members were releasing updates for LTS alongside the rest of the distributions, where those team members were also interested in LTS. I'd be happy to backport security fixes from wheezy to squeeze, if they weren't already done. > * Noone has taken care of the linux-2.6 update, although all the patches > have been prepared and Carlos has made various tests For me at least, the idea of doing a kernel security update is slightly daunting. And, up until the last few days, there was a big comment in the top of lts-needed.txt that said that linux-2.6 updates were tracked separately, which led me to believe it was being taken care of. I'll get onto this. (lts-needed.txt updated) > * Noone is taking care of updating lts-needed.txt or other triage I'd be happy to contribute to this, except I'm not sure *how*. Is it a matter of watching mailing lists (if so, which ones?) and adding issues as they're reported? Reloading the security-tracker page a couple of times a day and manually comparing the two lists (that seems... inefficient)? Watching changes to dsa-needed.txt and copying across the ones that match (slightly less inefficient)? So far, I've been watching for DSAs that don't get a matching LTS update (but which appear vulnerable in squeeze) and working on those. > So, from my view it's fairly obvious that Debian LTS will only be sustainable > if there's an ongoing base of sponsored work. Is that how the current security team operates, on sponsored work (I ask that legitimately -- I have no idea)? If so, then yes, it's fairly unlikely that LTS will survive based entirely on volunteer effort. On the other hand, if the security team manages to produce the fine work it does primarily volunteer labour, it wouldn't seem impossible that LTS could do the same. Please remember that the non-security-team members of the LTS effort are (I presume) all total n00bs at doing security work, so it's not *entirely* surprising we're not going to be great at it at first. What would really help *me*, at least, is if you notice things not working up-to-spec, you call them out (like you've done here) and help those of us who say "yep, that sucks, how can we do it better?" to get better. - Matt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
