Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In September, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 19.75h for LTS (out of my 30 max; all done) and 20h for ELTS (out of my 20 max; all done).
ELTS - Jessie
- qemu: jessie triage: finish work started in August
- qemu: backport 5 CVE fixes, perform virtual and physical testing, security upload ELA-283-1
- libdbi-perl: global triage: clarifications, confirm incomplete and attempt to get upstream action, request new CVE following discussion with security team
- libdbi-perl: backport 5 CVE fixes, test, security upload ELA-285-1
LTS - Stretch
- qemu: stretch triage, while working on ELTS update; mark several CVEs unaffected, update patch/status
- wordpress: global triage: reference new patches, request proper CVE to fix our temporary tracking
- wordpress: revamp package: upgrade to upstream's stable 4.7.5->4.7.18 to ease future updates, re-apply missing patches, fix past regression and notify maintainer, security upload DLA-2371-1
- libdbi-perl: common work with ELTS, security upload DLA-2386-1
- public IRC team meeting
Documentation/Scripts
- LTS/TestSuites/wordpress: new page with testsuite import and manual tests
- LTS/TestSuites/qemu: minor update
- wiki.d.o/Sympa: update Sympa while using it as a libdbi-perl reverse-dep test (update for newer versions, explain how to bootstrap admin access)
- www.d.o/lts/security: import a couple missing announcements and notify uploaders about procedures
- Check status for pdns-recursor, following user request
- Check status for golang-1.7 / CVE-2019-9514 / CVE-2019-9512
- Attempt to improve cooperation after seeing my work discarded and redone as-is, which sadly isn't the first time; no answer
- Historical analysis of our CVE fixes: experiment to gather per-CVE tracker history