Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 28.75h for LTS (out of 30 max; all done) and 7.75h for ELTS (out of 20 max; I did 2.75).

Escalation procedures were (internally) documented with a focus on discussing issues with team coordinator(s) first.

Debian LTS had its first team meeting through IRC and lots of workflow question were discussed. This should help discuss questions that are a bit hard to bring up, and ensure everybody participates. There were lots of topics and it was a bit rushed, but this is something we want to repeat monthly now, possibly with audio/video in a couple months.

Remarks from last month's report were discussed, strengthening the Front-Desk role.

10% of the global funding is now reserved for infrastructure work. What kind of work, and who (LTS or external) will do the work, will be discussed further.

A fellow DD suggested (in a private conversation) that LTS may be taking time from the Debian Security team, due to additional commits to review. Conversely, this is another opportunity to mention all the global, non-LTS-specific work that LTS provides, which I usually highlight in my reports, and maybe I should be even more ;)

ELTS - Wheezy

  • CVE-2020-11612/netty: triage: ignored (deceptively hard to backport, OOM mitigation only)
  • mysql-connector-java: triage: in-progress (subscription-only update from Oracle, attempt to find more detail, waiting for public version)
  • CVE-2020-11868/ntp: global triage: identify and reference missing patch, coordinate with uploader

LTS - Jessie

  • netty, mysql-connector-java, ntp: common triage (see above)
  • CVE-2019-20637/varnish: global triage: attempt to reproduce, attempt to get PoC/vulnerable versions from upstream, update BTS
  • ansible: jessie triage: reset ignore->no-dsa old vulnerabilites after discussing with initial triager
  • ansible: global triage: identify more affected version ranges, locate more patches
  • ansible: prepare jessie upload (work-in-progress)
  • tiff: suites harmonization: offer to work on a tiff/stretch update, follow-up on maintainer's questions, who eventually did the update
  • dsa-needed.txt: identify stale entries from inactive LTS contributor, check for status
  • team meeting: see minutes