Greetings everyone, This message is meant to make you aware of some activity that you will see from me in dla-needed.txt/ela-needed.txt in the coming days. My original plan had been to simply start making some updates, but I quickly realized that doing so unannounced was likely to cause some confusion.
First, some background. During the last monthly LTS meeting Emilio raised the issue of whether we are being overly aggressive in our pursuit of no-dsa issues. This was not the first time that this issue has been raised, and following the meeting I initiated a mailing list discussion [0]. Some of the ensuing discussion in that thread made it clear that this is a multi-faceted issue with a not very simple solution. Sylvain observed that overall package priority, in addition to individual CVE priority, should be considered. Samuel pointed out that the default position of other distros is to leave moderate and low severity issues unfixed in older distros, unless specifically requested by a user. In addition to this specific discussion thread, we have previously had feedback that our aggressiveness in fixing many low priority issues is not viewed as universally positive. This doesn't mean that we should refrain from fixing issues because not everybody likes it, but should cause us to question if our current approach is the best of all possibilities. So, what does this mean and what am I (or what are we) going to do about it? It is clear that our current approach has grown somewhat organically, and as a result it has perhaps grown to the point that we are not in the right balance. After having pondered all of this for a while, and after speaking at length with Santiago about this, I am of the opinion that we need: - to re-evaluate the packages currently listed in dla-needed.txt/ela-needed.txt to determine whether they really belong there; this is, if an immediate update is needed for those packages - in the process of the above, I need to document some clearer criteria for how we treat priority/severity of individual CVEs and of packages (i.e., groups of CVEs) To that end, in the coming days I plan to carefully review each package that is presently listed in dla-needed.txt/ela-needed.txt, and each package's related CVEs. Along the way I will write down the criteria which will be used going forward (both by FD for initial triage and by anyone else doing additional triage after claiming a package), and once I have the documentation written I will prepare a MR and request reviews by certain individuals whose input I specifically want (though I will announce the MR to the whole team and anyone on the team will be welcome to comment). If I make any updates to dla-needed.txt/ela-needed.txt that affect a package that you may be individually working on, or one that you may have worked on at some point in the recent past, I will follow-up with you individually via email. Regards, -Roberto [0] https://lists.debian.org/debian-lts/2025/05/msg00073.html -- Roberto C. Sánchez
