Skip to content

Explore ways to figure out which packages in unstable could use help

The goal is to have a script or scripts that, when executed, produce an ordered list of packages which can be used to identify candidates for the LTS team to make offers of assistance.

This falls under the concept of "Work on unstable to ensure the LTS version or latest upstream version of complex packages get into trixie", which was discussed in the October 2024 LTS meeting.

We are most interested in helping with packages that have a history of CVEs, which are large/complex, and which may have insufficient maintainer resources (e.g., solo maintainer struggling to keep up, orphaned, etc).

Criteria which should be considered include:

  • current and past CVEs (e.g., from the security-tracker)
  • possibly insufficient maintainer resources (e.g., orphaned, single individual maintainer, team that is struggling to keep up with upstream)
  • size/complexity of the package

The way in which the data for the above criteria are to be collected needs to be considered. Difficulties with collecting particular data points should be discussed in this issue, so that potential alternatives could be put forward.

The resulting list will serve as the input to a manual process (i.e., it is more important to be easy for a human to read). The human part of the process will involve reviewing the list, checking the BTS for the presence of bugs indicating a previous request to package the new/latest upstream version, determining which upstream version is LTS (if any), offering to help the maintainer, etc.

Please note that this idea is far from ready for implementation. The first step is to further explore the concept and then propose and refine a solution.

/cc @kanashiro @santiago