1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • DebCamp 25 Security Tracker sprint - planning announcement

    From Roberto =?iso-8859-1?Q?C=2E_S=E1nch@21:1/5 to All on Thu May 22 15:30:01 2025
    Greetings everyone,

    [I have addressed this email to the LTS mailing list, with the security
    team in BCC. This is so that replies to this thread that are not of
    specific concern to the security team do not unnecessarily inundate
    them.]

    **** Prologue

    As has been discussed on several occasions by now (e.g., on this mailing
    list, in IRC, and in any of several different LTS meetings/gatherings in
    the last few months), the LTS Team will be holding a sprint during
    DebCamp 25, with two primary focus areas: some LTS Team-specific needs
    and the security tracker. This message outlines various key bits of information. I have tried to keep this is as compact as possible and may
    have left something out in the process, so please do not hesitate to
    follow up with any questions or concerns. As I have been delayed in
    completing the necessary planning and sending out related announcements,
    I would ask that those who intend to participate please let me know ASAP (according to the guidelines specified below in the "Rules of
    engagement" section).

    **** Objective

    The objective of the DebCamp 25 security tracker sprint is to improve
    LTS Team tools and processes and along the way make improvements to the security tracker itself, as well as to associated/related tools,
    services, and documentation.

    The are many longstanding issues which affect the security tracker, both directly and indirectly. These issues affect the work of the LTS Team;
    some to a greater extent and others to a lesser extent. However, it is
    not necessary that things remain as they are. While we do continuously
    improve the tooling which the LTS Team uses to interact with the
    security tracker (and occasionally also which the security team uses as
    well), it seemed beneficial to organize and execute a focused sprint
    that would help to make substantial improvements in and around the
    security tracker. In particular, there are some changes which would be
    much more feasible if completed in a very short time and with the
    participation of multiple developers. We hope that this will not only
    result in marked improvements coming out of the sprint but will also
    create momentum to continue making improvements for some time.

    **** Issue categories and issue list

    The issues being targeted for the sprint fall into the following three categories:

    - Bug fixes and improvements to core elements of the security tracker
    itself
    - Bug fixes and improvements to tools and services which utilize the
    security tracker in some way
    - Documentation and miscellany which may or may not directly relate to
    the security tracker

    Rather than list the issues here in this email, I instead provide a link
    to planning issue in Salsa: https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/87

    Please look at the proposed issue list (the issue description will be
    kept up to date with the latest canonical listing) and discuss any
    proposed additions/deletions/other modifications in the comments of that
    issue.

    **** Rules of engagement

    In order to try to keep things relatively organized, I would very much appreciate it if everyone could help by adhering the following rules of engagement.

    ******** Remember that the Security Team owns the tracker

    It is vitally important to remember that the Security Team owns the
    tracker; the LTS Team are guests with some added special privileges. We
    must take great care that any change does not break an existing
    workflow. If a change has even the possibility of breaking an existing workflow, then that requires prior coordination with the Security Team.
    Note that a number of the candidate issues for the Sprint have the
    possibility of altering the tracker in a way that may result in just
    that sort of breakage. Potential work of this sort needs to be discussed
    (in the issue or BTS bug which describes the problem/work); if a
    response from the Security Team is not made in a timely fashion, PLEASE
    PLEASE PLEASE do not ping the Security Team about this directly. Rather,
    get in touch with the coordinators and we will mediate the exchange or
    find an alternate path.

    ******** Declare intention to participate

    If you plan to attend DebCamp and/or plan to participate *during* the designated sprint days, please let me know. If you prefer to let me know
    via private email, then that is completely fine. Please note that the
    more detail you can provide, the better; the most important thing being information about what specific days you plan to be present at the
    DebCamp venue, so that we can ensure adequate workspace for everyone who
    will be there.

    ******** Assign or claim issues


    Because the list of issues targeted for the sprint is very likely to
    evolve as the event nears (since work may be started before the event
    itself, or may start between now and then), it is important to assign
    yourself to any issue(s) you may be working on. For situations where an ownership claim is not feasible (i.e., the Debian BTS), make a comment
    stating your intent to work on the issue. If you have specific interest
    in an issue that someone else has already claimed, then get in touch
    with that person. It may be that the issue could be split into distinct
    parts, or that there is enough work to support concurrent claims/work on
    the issue. Please keep this information up to date; if you stop working
    on something or decide you won't be able to, then release the claim; if
    an issue is completely resolved, then please make note of that (and let
    me know so I can update the planning issue); etc.

    ******** Feel free to start working on issues before the sprint

    While there is a particular emphasis on a concentrated effort to be
    executed during the sprint at DebCamp itself, there is no particular
    reason that work cannot start prior to and continue after the event. If
    a particular issue is ready for work and you have the spare cycles to
    begin the work, then please go ahead and do so, updating the status of
    the issue(s) as work progresses. This is especially true of
    brainstorming, design, and related sorts of tasks, that if completed in
    advance will allow for a more fluid pace of work during the sprint.

    ******** Suggest improvements

    At this point I have received fairly little input concerning the sprint
    and the planned work. It is doubtless that I have overlooked things and
    made mistakes. Please make sure to suggest improvements, modifications
    to the issue list, etc.

    Regards,

    -Roberto
    --
    Roberto C. S�nchez

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)