Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, 113.50 work hours have been dispatched among 9 paid contributors. Their reports are available:

• Antoine Beaupré did 11.5h.
• Ben Hutchings did 15 hours (out of 15 hours allocated + 10 extra hours remaining, meaning that he still has 10 extra hours to do over February).
• Chris Lamb did 18 hours.
• Guido Günther did 13 hours (out of 12 hours allocated + 1 remaining).
• Mike Gabriel did 16 hours (8 hours allocated + 8h remaining).
• Santiago Ruano Rincón did 18 hours (out of 12h allocated + 8.50 remaining, thus keeping 2.50 extra hours for February).
• Scott Kitterman did 8 hours.
• Thorsten Alteholz did 30 hours.

Evolution of the situation

As expected, we had a small drop in the amount of hours sponsored. New sponsors (re-)joined but others stopped too (Gree this time)… mostly balancing the result. We only lost 2 hours of sponsored work.

It would be nice if we could invert that curve and actually start again to get closer to our objective of funding the equivalent of a full time position. Let’s hope that the switch to wheezy as the version supported by the LTS team will motivate many companies relying on Debian 7 in their IT system.

In terms of security updates waiting to be handled, the situation is close to last month(17 packages in dla-needed.txt, 27 in the list of CVE). It looks like that having about 20 packages needing an update is the normal situation and that we can’t really get further down given the time required to process some updates (sometimes we wait until the upstream authors provides a patch, and so on).

Thanks to our sponsors

New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 4 months)
• Gold sponsors:
• The Positive Internet (for 20 months)
• Blablacar (for 19 months)
• Linode LLC (for 9 months)
• Silver sponsors:
• Domeneshop AS (for 19 months)
• Université Lille 3 (for 19 months)
• Trollweb Solutions (for 17 months)
• Nantes Métropole (for 13 months, renewal after a small break)
• University of Luxembourg (for 11 months)
• Dalenys (for 9 months)
• Univention GmbH (for 5 months)
• Université Jean Monnet de St Etienne (for 5 months)
• Bronze sponsors:
• David Ayers – IntarS Austria (for 20 months)
• Offensive Security (for 20 months)
• Seznam.cz, a.s. (for 20 months)
• Evolix (for 19 months)
• Freeside Internet Service (for 19 months)
• MyTux (for 19 months)
• Linuxhotel GmbH (for 17 months)
• Intevation GmbH (for 16 months)
• Daevel SARL (for 15 months)
• Bitfolk LTD (for 14 months)
• Megaspace Internet Services GmbH (for 14 months)
• Greenbone Networks GmbH (for 13 months)
• NUMLOG (for 13 months)
• WinGo AG (for 12 months)
• Ecole Centrale de Nantes – LHEEA (for 8 months)
• Sig-I/O (for 6 months)
• Entr’ouvert (for 4 months)
• Adfinis SyGroup AG

While the details about how to join the set of paid contributors have always been public (here) we did not advertise this fact very much outside of the people already interested in LTS (and thus subscribed to debian-lts@lists.debian.org). But right now we would like to have a few more paid contributors on board and I’m thus posting this call for volunteers.

Who can apply?

You need to meet those requirements:

• you are Debian Developer or a Debian Maintainer;
• you have some prior experience with providing security updates in Debian (at least on your own packages);
• you have good programming skills and know multiple languages (to be able to backport security fixes);
• you can emit invoices to Freexian;
• you accept the rules defined for this project:
• you must respect the privacy of any customer data;
• you must prepare a public monthly report of the work done on paid time;
• you must respect the Debian code of conduct and respond to queries about your work from fellow community members;
• you must do your best to meet the high-quality standards set by the Debian security team.

Even though Freexian is located in France and requires you to provide invoice in EUR, there are no conditions on your nationality or country of residence. For contributors outside of the Euro zone, Freexian is using Transferwise to pay them with minimal currency conversion costs (Paypal is also possible if nothing else works).

The rate offered to paid contributors is the same for all (75 EUR/hour), it’s based on a correct rate for independent contractors in western Europe. If the rate is very high for your own country, then be happy to be able to invoice Freexian at this rate and use this opportunity to work less (for money) and contribute more to Debian on your (now copious) free time.

How does the work look like?

If you apply, you will have to send us an SSH key so that you can have access to the internal git repository used for work. It contains a ledger file to track the hours funded by sponsors and how they have been dispatched to the various contributors. You can always know how many hours are assigned to you, how many can be invoiced, and so on. You will have to update it once a month to record the work you did (and indicate us where the report has been published).

The repository also contains a README with many explanations about the workflow (how hours are dispatched, the delay you have to publish your report, etc) and a small helper script (./find-work) to match up the pending updates (registered in dla-needed.txt) with the popularity of the package among the sponsors.

Now the work itself is relatively well documented in the LTS wiki. You will have to provide updates for packages that need an update.

You have some freedom in selecting the packages but at some point you will have to work on packages that you don’t know that are written in a language that you have almost not used. So you must be able to go out of your comfort zone and still do a good work. You must also be able to multi-task because in some cases you will get stuck on a particular update and you will have to seek help from the upstream developer (or from the Debian package maintainer). Don’t expect to be able to do all your work hours in a single run… thus don’t wait until the last days of the month. Start early and dispatch your work hours over the month.

From time to time, you will also have to handle the “LTS frontdesk” for one week. During this week, you need to spend a bit of time every day to triage the new CVE, to respond to questions on the mailing list, and to sponsor updates prepared by volunteers who do not have upload rights.

Questions?

Ask your questions in the comments and I will update this section with your questions and our answers.

What if I have no prior experience with security updates?

Start getting some experience. The LTS and security teams are open for anyone to join. Read their documentation and provide some updates that other contributors can sponsor.

Before accepting you as paid contributor, we generally ask you to prepare one or two DLA on your free time just to make sure that you know the workflow and that you are up to the task.

What if I have only X hours available for paid LTS work?

In the git repository there’s a file where you document how many work hours you can handle. You might get less than this amount, but we generally never assign less than 8 hours (to make sure that you can handle one complicated update from start to end, or your possible week of LTS frontdesk).

You can adjust it each month or even opt-out if you are not available for whatever reason. But once you have been assigned work hours, it’s important to actually do the work that you requested!

How do I apply?

Get in touch with me (as documented).

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, 113.50 work hours have been dispatched among 9 paid contributors. Their reports are available:

• Antoine Beaupré did 8h for his first month of work on LTS.
• Ben Hutchings did 20 hours (out of 15 hours allocated + 15 extra hours remaining, meaning that he has 10 extra hours to do over January).
• Chris Lamb did 12 hours.
• Guido Günther did 9 hours (out of 8 hours allocated + 2 remaining, thus keeping 1 extra hour for January).
• Mike Gabriel did nothing (the 8 hours allocated are carried over for January).
• Raphaël Hertzog did 21.25 hours (18h allocated + 3.25h taken over from Mike’s unused hours of November).
• Santiago Ruano Rincón did 15 hours (out of 18.25h allocated + 2 remaining + 3.25 taken over from Mike’s unused hours of November, thus keeping 8.50 extra hours for January).
• Scott Kitterman did 8 hours.
• Thorsten Alteholz did 21.25 hours (out of 18.25h allocated + 3 hours taken over from Mike’s unused hours of November).

Evolution of the situation

We lost our first silver sponsor (Gandi.net, they prefer to give the same amount of money to Debian directly) and another sponsor reduced his sponsorship level. While this won’t show in the hours dispatched in January, we will do a small jump backwards in February (unless we get new sponsors replacing those in the next 3 weeks).

This is a bit unfortunate as we are rather looking at reinforcing the amount of sponsorship we get as we approach Wheezy LTS and we will need more support to properly support virtualization related packages and other packages that were formerly excluded from Squeeze LTS. Can you convince your company and help us reach our second goal?

In terms of security updates waiting to be handled, the situation is close to last month. It looks like that having about 20 packages needing an update is the normal situation and that we can’t really get further down given the time required to process some updates (sometimes we wait until the upstream authors provides a patch, and so on).

Thanks to our sponsors

We got one new bronze sponsor but he’s not listed (he did not fill the form where we request their permission to be listed).

• Platinum sponsors:
• TOSHIBA (for 3 months)
• Gold sponsors:
• The Positive Internet (for 19 months)
• Blablacar (for 18 months)
• Linode LLC (for 8 months)
• Silver sponsors:
• Domeneshop AS (for 18 months)
• Université Lille 3 (for 18 months)
• Trollweb Solutions (for 16 months)
• University of Luxembourg (for 10 months)
• Rentabiliweb Group (for 8 months)
• Univention GmbH (for 4 months)
• Université Jean Monnet de St Etienne (for 4 months)
• Bronze sponsors:
• David Ayers – IntarS Austria (for 19 months)
• Offensive Security (for 19 months)
• Seznam.cz, a.s. (for 19 months)
• Evolix (for 18 months)
• Freeside Internet Service (for 18 months)
• MyTux (for 18 months)
• Linuxhotel GmbH (for 16 months)
• Intevation GmbH (for 15 months)
• Daevel SARL (for 14 months)
• Bitfolk LTD (for 13 months)
• Megaspace Internet Services GmbH (for 13 months)
• Gree, Inc. (for 12 months)
• Greenbone Networks GmbH (for 12 months)
• NUMLOG (for 12 months)
• WinGo AG (for 11 months)
• Ecole Centrale de Nantes – LHEEA (for 7 months)
• Sig-I/O (for 5 months)
• Entr’ouvert (for 3 months)