During October, I spent 10 hours on paid LTS work. I should have worked 4 hours more, but for various reasons this did not happen. Instead I’ll spend 4 more hours in November.
During this time, I did the following:
- CVE triage: this month I pushed 23 commits to the security tracker SVN repository, and filed #765352 against wpa.
- I released a mysql-5.1 update (DLA-75-1) fixing 3 CVE.
- I sponsored the upload of ppp 2.4.5-4+deb6u1 for DLA-74-1 which had been prepared by Andrew Bartlett.
- I uploaded a new version of apache2 (DLA-71-1) fixing 2 CVE.
- I filed a few bugs against debian-security-support to request that some packages be marked as unsupported in squeeze: #765374 for axis2c and
rampart, #765452 for a new feature allowing binary packages to be marked as unsupported so that glassfish-appserv can be marked as such (this is #765454).
After a few months of work on LTS, I’m starting to have a better grasp on the worflow and on what can be done or not. But I’m still astonished that we have so few squeeze users on the mailing list. If you’re using Squeeze, please subscribe to the list and test the packages that contributors are submitting for tests/validation. It really helps to have some feedback from real users before releasing an update, in particular when the Debian contributor who prepared the update is not a user of said package… not everybody has the skills required to prepare security updates, but everybody can help test packages, you have no excuses.
And we still need more organizations joining the LTS project, either by providing help (like Catalyst did by letting Andrew Bartlett work on LTS, thanks to them!) or by sponsoring the
project and letting others do the work.