Skip to content

Harmonize the definition of 'triage' between LTS and Debian Security team

Right now, triaging in the *LTS world is mostly understood as figuring out if a CVE affects packages in those ecosystems, and it therefore typically happens after the Security Team has performed their assessments in the tracker. General triaging (what the DebSec team does) could also be performed by LTS members, as it globally helps *LTS and Debian. This is typically what Neil has been doing in the past months and we'd like to formalize that a bit

There are 2 aspects to this IMO:

  • Expanding the {E}LTS triage definition to include "general" efforts outside of the current "does this affect {E}LTS, should it be added to dla-need?"
  • Deciding how that articulates w/ FD duties (which right now is the only role allowed to do triaging in LTS)

"Triaging only when on FD" made sense so far to avoid collisions and duplicated work around dla-needed, but this may need to be revisited if we explicitly add general triaging (for lack of a better name).