Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 17.25h for LTS (out of 30 max; all done) and 9.25h for ELTS (out of 20 max; all done).
A survey will be published very shortly to gather feedback from all parties involved in LTS (users, other Debian teams...) -- let us know what you think, so we start the forthcoming new (Stretch) LTS cycle in the best conditions
Discussion is progressing on funding & governance of larger LTS-related projects. Who should decide: contributors, Freexian, sponsors? Do we fund with a percentage or by capping resources allocated on security updates? I voiced concerns over funding these at the expense of smaller, more organic, more recurrent tasks that are less easy to specify but greatly contribute to the overall quality nevertheless.
ELTS - Wheezy
- mysql-connector-java: upgrade to 5.1.49, refresh patches, document/run test suite, prepare upload, prepare upgrade path (+ see LTS)
- CVE-2020-3810/apt: triage (affected), enquire about failing test, run testsuite, security upload ELA 228-1
LTS - Jessie
- ansible: global triage: finish last month's triage, fix affected versions, provide reproducer
- ansible: backport patches to early version, security upload DLA 2202-1
- mysql-connector-java: propose 5.1.49 update to all dists (+ see ELTS)
- CVE-2019-20637/varnish: global triage: ping upstream, get PoC, determine status for all Debian dists, jessie not-affected
- public IRC team meeting
Documentation/Scripts
- LTS/TestsSuites/mysql-connector-java: first version
- LTS/Development: what to tidy/not-tidy in data/CVE/list after an upload
- LTS/Development: clarify CVE triaging following internal discussion
- Answer request wrt. openstack/keystone support
- dsa-needed.txt: fix stale entry, check on affected LTS developer's well being