Bug#1031046: Only include in Bookworm with commitment to stable updates

Jonas Smedegaard jonas at jones.dk
Fri Dec 13 10:58:58 GMT 2024 

Quoting Martin Rampersad via Pkg-voip-maintainers (2024-12-13 02:17:00)
> It is my assumption that this bug opened because the security team was
> left with a stable package that nobody on the pkg-voip-team was
> maintaining, so I understand why they don't want that to happen again,
> especially with a package with as many CVEs as asterisk. Please
> correct me if I'm wrong about this.

I am not the security team, but the above loosely matches my
understanding as well.


> I would like to deliver confidence about my ability to backport
> security patches to asterisk. I fail to see how submitting a rendering
> or workflow bug to the tracker pseudo-package accomplishes this. You
> still won't know if I can do a backport.

Yes. I understand, but...

> I'm only trying to do as little work as possible that does not
> directly benefit my stated goal of getting asterisk back in stable.

Seen from the Debian side of this, your approach of "as little work as
possible" kinda sticks out, when you are new around here and it is the
only thing you can say.

Security team says "show us the money", and this team waits until all
the money has bled dry and then instead of saying "probably a waste of
your time, but here are the pennies left", you say "waste of my time, so
I pass on that".

Thing is, when the security team filed this bugreport, severe issues
were pending for asterisk officially in Debian. Time went by with noone 
ut me (not only showing an interest verbally, but also) doing tasks
relevant asterisk officially in Debian.  Now close to the freeze several
people show up - which is great, that is always great, don't get me
wrong - and that is a) most likely too late to demonstrate real effects
on the team having grown bigger, before the freeze kicks in, also
because b) it is several months after the largest chunk of work needing
tending to is no longer in the hands of Debian but has been handed over
to the LTS team.

You are right, that you don't prove ble to tackle security bugs in
asterisk code by reporting a bug in a web app.  But you do demonstrate
a relevant skill of interacting with the Debian bugtracker, and you do
demonstrate slightly more commitment than by not doing it. I don't say
that you must jump through hoops and do "meaningless idiotic work", and
I don't know if you are super skilled in Debbugs already. What I react
on is that when the *sum* of what we as a team can show in this
bugreport is promise of future commitment + explicit statement of
non-commitment to things slightly off of our narrowly defined duties,
then that is disturbing to me.

> I notice that asterisk in oldstable is receiving "non-maintainer"
> updates. Is the pkg-voip-team allowed to pitch in for this? Is it
> possible for me to contribute by helping catch up on the backlog of
> CVEs there? This seems like work I could do right now that directly
> benefits asterisk, takes work off the security team, and also shows I
> can do the main thing I will be spending the next three years doing.

The package in oldstable is no longer the responsibility of Debian.
This team (is just a bunch of volunteers that can decide that its
purpose is to go skateboarding on Tuesdays and not care at all about
asterisk, but since you ask me for my opinion) is about maintenance of
official Debian released packages (until we get that ball rolling - I am
open to then expand our activities to do backports, sideports and booths
at venues - but first things first).

Personally you are more than welcome to join the LTS team, and reeive
paiment for helping out with their responsibilities.  And yes, your
paid work there is a strong argument here that you are actively working
on things related to the asteisk packaging officially in Debian, because
LTS work is very similar to Debian work, so confidence is so much higher
that you growing experience there is helpful when a complex situation
occurs here.  So please go ahead and join the LTS team!


> As for "why are you really joining this team", I am a long time user
> of asterisk in Debian for my business. I noticed, like many others,
> that it fell off bookworm. I initially messaged the mailing list with
> a request to make private builds of the software easier, but your
> insistence on only doing work that would benefit the official Debian
> build convinced me to join and fix asterisk the right way.
> 
> I have no plans to discontinue use of asterisk in my business, so I
> felt it would be reasonable to commit to the lifecycle of the next
> release at least.

Your volunteering here is genuinely much appreciated.

I sure hope you will stick around even if it turns out that now is too
late for reintroducing asterisk in next stable release, and we will
have to "sit it out" until the next release.


Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20241213/1c39716f/attachment.sig>

More information about the Pkg-voip-maintainers mailing list