Monthly report about Debian Long Term Support, June 2023

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In June, 17 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 12.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 2.0h to the next month.
• Adrian Bunk did 28.0h (out of 0h assigned and 34.5h from previous period), thus carrying over 6.5h to the next month.
• Anton Gladky did 5.0h (out of 6.0h assigned and 9.0h from previous period), thus carrying over 10.0h to the next month.
• Bastien Roucariès did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 24.0h (out of 16.5h assigned and 7.0h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 24.0h (out of 21.0h assigned and 2.5h from previous period).
• Guilhem Moulin did 20.0h (out of 20.0h assigned).
• Lee Garrett did 25.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 15.5h to the next month.
• Markus Koschany did 23.5h (out of 23.5h assigned).
• Ola Lundqvist did 13.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.0h to the next month.
• Roberto C. Sánchez did 13.5h (out of 9.75h assigned and 13.75h from previous period), thus carrying over 10.0h to the next month.
• Santiago Ruano Rincón did 8.25h (out of 23.5h assigned), thus carrying over 15.25h to the next month.
• Sylvain Beucler did 20.0h (out of 23.5h assigned), thus carrying over 3.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 0.0h (out of 0h assigned and 25.5h from previous period), thus carrying over 25.5h to the next month.

Evolution of the situation

In June, we have released 40 DLAs.

Notable security updates in June included mariadb-10.3, openssl, and golang-go.crypto. The mariadb-10.3 package was synchronized with the latest upstream maintenance release, version 10.3.39. The openssl package was patched to correct several flaws with certificate validation and with object identifier parsing. Finally, the golang-go.crypto package was updated to address several vulnerabilities, and several associated Go packages were rebuilt in order to properly incorporate the update.

LTS contributor Sylvain has been hard at work with some behind-the-scenes improvements to internal tooling and documentation. His efforts are helping to improve the efficiency of all LTS contributors and also helping to improve the quality of their work, making our LTS updates more timely and of higher quality.

LTS contributor Lee Garrett began working on a testing framework specifically for Samba. Given the critical role which Samba plays in many deployments, the tremendous impact which regressions can have in those cases, and the unique testing requirements of Samba, this work will certainly result in increased confidence around our Samba updates for LTS.

LTS contributor Emilio Pozuelo Monfort has begun preparatory work for the upcoming Firefox ESR version 115 release. Firefox ESR (and the related Thunderbird ESR) requires special work to maintain up to date in LTS. Mozilla do not release individual patches for CVEs, and our policy is to incorporate new ESR releases from Mozilla into LTS. Most updates are minor updates, but once a year Mozilla will release a major update as they move to a new major version for ESR. The update to a new major ESR version entails many related updates to toolchain and other packages. The preparations that Emilio has begun will ensure that once the 115 ESR release is made, updated packages will be available in LTS with minimal delay.

Another highlight of behind-the-scenes work is our Front Desk personnel. While we often focus on the work which results in published package updates, much work is also involved in reviewing new vulnerabilities and triaging them (i.e., determining if they affect one or more packages in LTS and then determining the severity of those which are applicable). These intrepid contributors (Emilio Pozuelo Monfort, Markus Koschany, Ola Lundqvist, Sylvain Beucler, and Thorsten Alteholz for the month of June) reviewed dozens of vulnerabilities and made decisions about how those vulnerabilities should be dealt with.

Thanks to our sponsors

• Platinum sponsors:
  • TOSHIBA (for 94 months)
  • Civil Infrastructure Platform (CIP) (for 62 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 105 months)
  • Linode (for 99 months)
  • Babiel GmbH (for 88 months)
  • Plat’Home (for 88 months)
  • University of Oxford (for 44 months)
  • Deveryware (for 31 months)
  • VyOS Inc (for 26 months)
  • EDF SA (for 15 months)
• Silver sponsors:
  • Domeneshop AS (for 109 months)
  • Nantes Métropole (for 103 months)
  • Univention GmbH (for 95 months)
  • Université Jean Monnet de St Etienne (for 95 months)
  • Ribbon Communications, Inc. (for 89 months)
  • Exonet B.V. (for 79 months)
  • Leibniz Rechenzentrum (for 73 months)
  • CINECA (for 62 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 56 months)
  • Cloudways Ltd (for 46 months)
  • Dinahosting SL (for 44 months)
  • Bauer Xcel Media Deutschland KG (for 38 months)
  • Platform.sh (for 38 months)
  • Moxa Inc. (for 32 months)
  • sipgate GmbH (for 29 months)
  • OVH US LLC (for 27 months)
  • Tilburg University (for 27 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 18 months)
  • Soliton Systems K.K. (for 16 months)
• Bronze sponsors:
  • Evolix (for 110 months)
  • Seznam.cz, a.s. (for 110 months)
  • Intevation GmbH (for 107 months)
  • Linuxhotel GmbH (for 107 months)
  • Daevel SARL (for 105 months)
  • Bitfolk LTD (for 104 months)
  • Megaspace Internet Services GmbH (for 104 months)
  • Greenbone AG (for 103 months)
  • NUMLOG (for 103 months)
  • WinGo AG (for 103 months)
  • Ecole Centrale de Nantes - LHEEA (for 99 months)
  • Entr’ouvert (for 94 months)
  • Adfinis AG (for 91 months)
  • GNI MEDIA (for 86 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 86 months)
  • Tesorion (for 86 months)
  • Bearstech (for 77 months)
  • LiHAS (for 77 months)
  • Catalyst IT Ltd (for 72 months)
  • Supagro (for 67 months)
  • Demarcq SAS (for 66 months)
  • Université Grenoble Alpes (for 52 months)
  • TouchWeb SAS (for 44 months)
  • SPiN AG (for 41 months)
  • CoreFiling (for 36 months)
  • Institut des sciences cognitives Marc Jeannerod (for 31 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 28 months)
  • Tem Innovations GmbH (for 22 months)
  • WordFinder.pro (for 22 months)
  • CNRS DT INSU Résif (for 21 months)
  • Alter Way (for 14 months)
  • Institut Camille Jordan (for 3 months)

par Roberto C. Sánchez 15 juil., 2023 . Tags : debian-lts, planet-debian, report , 1046 Mots.