Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 17.25h.

Most of my time was spent on frontdesk duties, in particular vulnerabilities (CVE) triaging, so other contributors quickly know what to work on.
In all honesty I spent more time than assigned, as I took upon myself to dig how things work. Fun facts:

  • The (stable, non-LTS) Debian Security Team has a dozen members but the vast majority of the work is done by 2 people - every single day.
  • The main workflow is: import a daily list of new (public) CVEs from MITRE, batch classify for-us/not-for-us, locate information (patches...), determine severity, and possibly fix. I'm not sure how we're notified of private (embargoed) issues, they are rare.
  • The CVE list grew to a 19MB text file, which Git is pathologically bad at handling. Be ready to git gc regularly and forget about git blame (which is annoying when tracking the evolution of a particular vulnerability).
  • We discussed how to justify whether to fix a vulnerability, with topics on funding and light justifications ("minor issue").
  • Dealing with MITRE is still difficult, I couldn't get CVE-2018-19211 properly marked as duplicate and we had to de-dup on our side; however they did right on not rejecting CVE-2018-19217 as I asked since we eventually tracked a totally different affected version.

Anyway, for a more formal report:

  • triage of new and past undetermined vulnerabilities for jessie: samba (dla-needed), evolution-ews (dla-needed + open bug), libpodofo (ignored), claws-mail (dla-needed + open bug), kgb-bot (refresh status), systemd (dla-needed), cacti (dla-needed), wireshark (5 dla-needed, 5 not-affected jessie, 3 not-affected stretch), android-platform-system-core (NFU/not for us), exiv2 (not-affected), spip (not-affected), twitter-bootstrap (no-dsa, minor), ncurses (undetermined to duplicate + already fixed, clarify with upstream and MITRE), xslt (still no info from Apple), wpa (2 ignored + dla-needed), webkit2gtk (unsupported), epiphany-browser (not affected), gradle (dla-needed + open bug), qt4-x11 (dla-needed), libxslt (dla-needed), axis (dla-needed + report wrong link), gpac (dla-needed)
  • ghostscript: jessie-security update, backporting stretch-security's
  • answer user request on debian-lts
  • workflow discussions: double-posting annoucements, justifying (non-)updates
  • doc updates (reference logos page, update mailing-lists URLs, clamav handling, triage process, www update rationale

If you'd like to know more about LTS security, I recommend you check: