two years of work of paid contributors in the debian long
play

Two Years of Work of Paid Contributors in the Debian Long Term - PowerPoint PPT Presentation

Jun 12, 2023 •674 likes •1.07k views

Two Years of Work of Paid Contributors in the Debian Long Term Support Project By Raphal Hertzog <hertzog@debian.org> DebConf 16 / Cape Town / 2016-07-08 Plan of the talk Presentation of the LTS project/team Workflow of the

  1. Two Years of Work of Paid Contributors in the Debian Long Term Support Project By Raphaël Hertzog <hertzog@debian.org> DebConf 16 / Cape Town / 2016-07-08

  2. Plan of the talk ● Presentation of the LTS project/team ● Workflow of the team: how to contribute ● Statistics about the team ● Changes since last year ● How do we (try to) avoid money-related problems ● Questions ● Feel free to ask questions at any time

  3. Presentation of the LTS project What is LTS about? What were the challenges? Choices made: at the technical level, at the organizational level

  4. What is LTS about ? ● Thus allowing users ● Providing 5 years of to skip a release security support

  5. Initial challenges ● Keeping a distribution secure for 5 years is hard work that is not very rewarding ● The security team ● has limited resources ● aims to support all Debian packages on all release architectures

  6. Technical choices: restrict the perimeter ● Restrict architecture support to amd64, i386, armel and armhf (two more arches than squeeze). ● Exclude some “problematic” packages from security support (much less than squeeze so far): ● chromium-browser, openstack, iceape, libv8, mantis, mediawiki, movabletype-opensource, openjdk-6 (7.x is supported), openswan, redmine, rails 2.x (3.x is supported), sogo, swift, tomcat6 (end of 2016), typo3- src, virtualbox, vlc http://anonscm.debian.org/cgit/collab-maint/debian-security-support.git/tree/security-support-ended.deb7 ●

  7. Organizational choice #1: creation of a new team ● Security team ≠ Debian LTS team ● But members of the security team helped to bootstrap the LTS team ● Different policies ● Different infrastructure ● Mailing list : debian-lts@lists.debian.org https://lists.debian.org/debian-lts/ ● IRC channel: #debian-lts on irc.debian.org (OFTC)

  8. Organizational choice #2: seeking help of companies ● Try to pool the work of companies which were doing in-house long term security support already ➔ Press release to invite companies to join ● Let other organizations fund the project so that Debian contributors can be paid to do the work ➔ https://wiki.debian.org/LTS/Funding lists all ways to help with money ● In practice, most of the (wanting to be) paid contributors joined forces behind a single offer managed by Freexian SARL : https://www.freexian.com/services/debian-lts.html

  9. Freexian's intermediary role

  10. Workflow of the team Triage of security issues Preparation of security update Test of security update Upload and announce of update

  11. Triage of security issues ● Done in the security tracker (common to Debian Security and Debian LTS) https://security-tracker.debian.org/ http://security-team.debian.org/security_track er.html 1.New issues added to data/CVE/list 2.Issues dispatched on source packages 3.Issues reviewed for each release 4.Classification according to analysis

  12. Ways to classify security issues ● Depending on analysis: ➔ Package added to data/dla-needed.txt so that someone will take care of preparing the update (currently <unfixed>) ➔ Issue does not apply (<not-affected>) ➔ Issue ignored because package is not supported (<end-of-life>) ➔ Issue not important enough (<no-dsa>) ➔ Issue already fixed in a former version ● Keep the maintainers in the loop, they can always fix issues (even the non-important ones)

  13. Extract of data/CVE/list CVE-2015-2317 (The utils.http.is_safe_url function in Django…) {DSA-3204-1} - python-django 1.7.7-1 (bug #780873) [squeeze] - python-django <no-dsa> (Minor issue, can wait next security upload) NOTE: https://github.com/django/django/commit/… (1.4.x) CVE-2015-2189 (Off-by-one error in the pcapng_read…) {DSA-3210-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) [squeeze] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/… CVE-2014-9701 [XSS issue in MantisBT permalink_page.php] - mantis <removed> (bug #780875) [wheezy] - mantis <no-dsa> (Minor issue) [squeeze] - mantis <end-of-life> (Unsupported in squeeze- lts) NOTE: Fixed by https://github.com/mantisbt/… (1.2.x)

  14. Preparation of the security update ● Find a patch ● Backport it if required ● Prepare an upload with a “+ deb7uX ” suffix, applying the patch as appropriate ● Document fixed CVE in the changelog and in patch headers

  15. Test the update and upload ● Build and test the result to ensure that ● the package still works ● the fix works as expected ● there's no obvious regression ● If unsure of your update, get in touch: ● Ask others to test ● Seek reviews of your debdiff ● If everything is ok, upload to wheezy-security

  16. Announce the security update ● Prepare a “DLA” (Debian LTS Advisory) $ ./bin/gen-DLA --save expat CVE-2012-6702 CVE-2016-5300 Enter wheezy's version [unset]: 2.1.0-1+deb7u4 DLA text written to ./DLA-508-1 $ svn commit ● Send it to debian-lts-announce@lists.debian.org $ mutt -H DLA-508-1 ● This process updates data/DLA/list which is used by the security tracker to know the CVE fixed by the update

  17. Statistics about the team Who uploaded packages? How did it evolve since the beginning? How is the funding evolving? Data between 2014-06-01 and 2015-07-31

  18. Stats: 549 LTS uploads ● By affiliation: ● By contributor: ● Thorsten Alteholz: 125 (in 24 months) ● Freexian: 380 ● Santiago Ruano Rincon: 51 (13 months) ● Raphaël Hertzog: 40 (16 months) ● None (maintainers) : 88 ● Chris Lamb: 29 (8 months) ● Security team: 32 ● Ben Hutchings: 28 (15 months) ● Holger Levsen: 28 (8 months) ● EDF: 14 ● Markus Koschany: 25 (8 months) ● Mike Gabriel: 23 (11 months) ● credativ: 12 ● Thijs Kinkhorst: 17 (9 months) ● Individuals: 11 ● Guido Günther: 14 (11 months) ● Kurt Roeck: 13 (12 months) ● Toshiba: 7 ● Raphaël Geissert: 13 (6 months) ● Univention: 4 ● Scott Kitterman: 12 (8 months) ● Christoph Berg: 9 (8 months) ● Catalyst: 1 ● …

  19. LTS uploads over time Debian L TS uploads 60 50 Univention 40 T oshiba None Freexian Number of uploads EDF 30 Debian Security Debian LTS credativ Catalyst 20 10 0 2014-07 2014-09 2014-11 2015-01 2015-03 2015-05 2015-07 2015-09 2015-11 2016-01 2016-03 2016-05 2014-06 2014-08 2014-10 2014-12 2015-02 2015-04 2015-06 2015-08 2015-10 2015-12 2016-02 2016-04

  20. Statistics about sponsored hours managed by Freexian ● Sponsors: 46 ● Hours sponsored ● Platinum (>= 24h/month): 1 ● 135 h/month currently ● Gold (>= 8 h/month): 5 dispatched to 11 contributors ● Silver (>= 4 h/month): 10 ● 1854h since the start (740h ● Bronze (>= 1h/month): 22 already paid to be dispatched ● Iron (< 1 h/month): 8 over the next year) ● Average: 2.94 h/month/sponsor Hours sponsored and number of paid contributors (by month) 160 12 140 10 Number of paid contributors 120 8 100 80 6 Hours 60 4 40 2 20 0 0 2014-08 2014-10 2014-12 2015-02 2015-04 2015-06 2015-08 2015-10 2015-12 2016-02 2016-04 2016-06 2014-07 2014-09 2014-11 2015-01 2015-03 2015-05 2015-07 2015-09 2015-11 2016-01 2016-03 2016-05 Hours Nb Paid Contributors

  21. Changes since last year Switch from Squeeze to Wheezy LTS New architectures Working with external partners to support some packages without upstream support

  22. Switch from Squeeze LTS to Wheezy LTS ● No wheezy-lts repository ● We keep using wheezy-security ● No changes for the user ● Changes for the contributors ● More packages supported ● Xen, qemu/qemu-kvm, firefox, icedove, libav, libvirt, zabbix, … ● Made possible by larger amount of sponsorship

  23. New architectures in Wheezy LTS ● armel and armhf ● Requested by new Japanese sponsor: ● Accepted by ftpmasters and buildd maintainers in the last days before the start of Wheezy LTS

  24. Working with external partners ● To support important packages that do not benefit from upstream support (for the version we use in Wheezy) ● External partners: upstream developers that can be contracted, or consultants/companies with expertise on that specific software ● Two such cases currently: ● Xen with credativ (Bastian Blank so far) ● Libav with Diego Biurrun

  25. How do we (try to) avoid money related problems ● Transparency ● External ● Internal ● Open rules to join the set of paid contributors ● Hours allocation rules ● Communication rules ● Point of contact for complaints

  26. External transparency with public monthly reports ● From Freexian: ● How many hours were assigned to contributors ● Links to their respective reports ● Some high level analysis on what happened ● List of sponsors ● Syndicated on Planet Debian ● From paid contributors: ● How many hours they worked and what they did ● On their blog or on the debian-lts mailing list

  27. Internal transparency with legder for hours allocation (1/3) ● Payments from sponsors transformed in work hours assigned to future months (split over all months from the payment period): 2016-06-13 Invoice 201606-063 (Offensive Security) Funded Available:2016:07 2h Available:2016:08 2h Available:2016:09 2h [...]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008 Outline Some bits about me Project goals, design &amp; features Debian and Debian Edu Development model and tools Debian Edu Etch

582 views • 36 slides
Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years

Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years

Debian 8.0 AKA jessie Michael Prokop Facts 1/3 Debian 8, codename jessie 2 years after Debian 7, codename wheezy (2013-05-04) Release Date: 2015-04-25 [party!] 75 supported languages 4.841 new source packages

587 views • 19 slides
Debian Long Term Support The story of an unusual team By Raphal Hertzog

Debian Long Term Support The story of an unusual team By Raphal Hertzog

Debian Long Term Support The story of an unusual team By Raphal Hertzog &lt;hertzog@debian.org&gt; Lyon Mini-DebConf / 2015-04-12 Plan of the talk Presentation of the LTS project/team Statistics about the team Current and future

284 views • 26 slides
Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20 000 source packages ~13 architectures 3 kernels The biggest database of FLOSS code (?) The Debile Project January, 19th 2014 Sylvestre Ledru

571 views • 25 slides
What does a deal look like? How do I get paid? What will I need? How long

What does a deal look like? How do I get paid? What will I need? How long

What does a deal look like? How do I get paid? What will I need? How long will it take? There are actually only 3 main deal types in the house business. 1. Rehabs Buy it cheap, renovate it and sell at retail price and

883 views • 72 slides
Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to Debian CI autopkgtest created back in 2006 (!) 2014: Debian CI launches Goal: provide automated testing for the Debian archive (i.e. run

816 views • 68 slides
Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day Definitions Distribution a set of OS kernel and supporting software in a defined format with the possibility of some integration by adjusting

134 views • 12 slides
The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog

The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog

The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog &lt;hertzog@debian.org&gt; DebConf 15 / Heidelberg / 2015-08-15 Plan of the talk Presentation of the LTS project/team Statistics about the team Current

574 views • 26 slides
What Make Long Term Contributors Willingness and Opportunity in Open Source Community Minghui

What Make Long Term Contributors Willingness and Opportunity in Open Source Community Minghui

What Make Long Term Contributors Willingness and Opportunity in Open Source Community Minghui Zhou Audris Mockus Peking University Avaya Labs Research zhmh@pku.edu.cn audris@avaya.com Outline Long-term contributors (LTCs) are crucial to

389 views • 16 slides
Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell &lt;msp@debian.org&gt; Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell &lt;msp@debian.org&gt; Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell &lt;msp@debian.org&gt; Introduction Introduction The Debian KDE Extras Team maintain a portfolio of extra application packages for Debian GNU/Linux outside the KDE core applications

554 views • 18 slides
Debtags is ready How to add Debtags to your everyday Debian work Enrico Zini enrico@debian.org

Debtags is ready How to add Debtags to your everyday Debian work Enrico Zini enrico@debian.org

Conclusion Debtags is ready How to add Debtags to your everyday Debian work Enrico Zini enrico@debian.org 21 June 2007 Enrico Zini enrico@debian.org Debtags is ready Conclusion What is Debtags A vocabulary of categories ( tags for short). A

445 views • 18 slides
15 years and counting Andreas Tille Debian Montreal, 7. August 2017 Andreas Tille (Debian) 15

15 years and counting Andreas Tille Debian Montreal, 7. August 2017 Andreas Tille (Debian) 15

15 years and counting Andreas Tille Debian Montreal, 7. August 2017 Andreas Tille (Debian) 15 years and counting Montreal, 7. August 2017 1 / 24 Past 1 Present 2 Future 3 Andreas Tille (Debian) 15 years and counting Montreal, 7.

799 views • 56 slides
Use of Grid Computing for Debian Quality Assurance Lucas Nussbaum lucas@debian.org

Use of Grid Computing for Debian Quality Assurance Lucas Nussbaum lucas@debian.org

Introduction QA tasks Infrastructure Results Future Work Conclusion Use of Grid Computing for Debian Quality Assurance Lucas Nussbaum lucas@debian.org lucas.nussbaum@imag.fr Laboratoire dInformatique de Grenoble - Projet MESCAL

576 views • 31 slides
Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Conte udo Como criar um Distribui c ao Personalizada Debian Debian-BR-CDD Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org, enrico@debian.org Congreso Internacional de Software Livre - 2 Edi

532 views • 25 slides
Universal Credit Full Service Overview UC focuses on work Paid monthly In and out of work Paid

Universal Credit Full Service Overview UC focuses on work Paid monthly In and out of work Paid

Universal Credit Full Service Overview UC focuses on work Paid monthly In and out of work Paid directly Claimant commitment Its requirements about work Its like work Claimant commitment like a Full time work search contract

493 views • 18 slides
Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

apoikos@debian.org Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos DebConf16 - Cape Town 2016-07-04 Outline Introduction Installation Configuration management Package management People 2/26

697 views • 27 slides
LTSI project update (2015 fall editoin) How to choose the best kernel for your embedded system

LTSI project update (2015 fall editoin) How to choose the best kernel for your embedded system

What is LTS &amp; LTSI kernel ? BSP development w/LTSI kernel Conclusion and Resources LTSI project update (2015 fall editoin) How to choose the best kernel for your embedded system Hisao Munakata LTSI Project @ Linux Foundation, CE working

846 views • 46 slides
ACQUISITIONS MERCHANT AND MANUFACTURERS BANCORPORATION, INC. and OZAUKEE BANK July 10 2007

ACQUISITIONS MERCHANT AND MANUFACTURERS BANCORPORATION, INC. and OZAUKEE BANK July 10 2007

ACQUISITIONS MERCHANT AND MANUFACTURERS BANCORPORATION, INC. and OZAUKEE BANK July 10 2007 FORWARD-LOOKING STATEMENTS CAUTION REGARDING FORWARD-LOOKING STATEMENTS This presentation includes forward-looking statements that are intended to

580 views • 10 slides
Is It Time To Play Offense or Defense with Defense Stocks? September 16, 2006 American

Is It Time To Play Offense or Defense with Defense Stocks? September 16, 2006 American

Is It Time To Play Offense or Defense with Defense Stocks? September 16, 2006 American Association of Individual Investors (DC Chapter) Kevin P. DeSanto, Vice President Houlihan Lokey Investment Banking Services Aerospace Defense

1.43k views • 79 slides
Identifying hubs and spokes in global supply chains with redirected trade in value added Paul

Identifying hubs and spokes in global supply chains with redirected trade in value added Paul

Identifying hubs and spokes in global supply chains with redirected trade in value added Paul Veenendaal Arjan Lejour Hugo Rojas-Romagosa Outline Background and purpose Methodology global input-output analysis

412 views • 37 slides
Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do

Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do

Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do Minho Braga, Portugal February, 2016 LTS Basic definitions Process algebra Behavioural equivalences Similarity Bisimilarity Reactive systems

1.39k views • 39 slides
Labeled Transition Systems 2IT70 Finite Automata and Process Theory Technische Universiteit

Labeled Transition Systems 2IT70 Finite Automata and Process Theory Technische Universiteit

Labeled Transition Systems 2IT70 Finite Automata and Process Theory Technische Universiteit Eindhoven June 4, 2014 The lady or the tiger open open marry eat 2 IT70 (2014) Labeled Transition Systems 2 / 26 The lady or the tiger open open

1.13k views • 72 slides
Semantics and Verification 2005 Lecture 1 Lecturer: Jiri Srba B2-203, srba@cs.aau.dk Assistant:

Semantics and Verification 2005 Lecture 1 Lecturer: Jiri Srba B2-203, srba@cs.aau.dk Assistant:

Organization of the Course Introduction Formal Models for Reactive Systems Introduction to CCS Semantics and Verification 2005 Lecture 1 Lecturer: Jiri Srba B2-203, srba@cs.aau.dk Assistant: Bjrn Haagensen B2-205, bh@cs.aau.dk Lecture 1

613 views • 28 slides
Labelled Transition Systems Lu s Soares Barbosa Architecture &amp; Calculi Course Unit

Labelled Transition Systems Lu s Soares Barbosa Architecture &amp; Calculi Course Unit

Labelled Transition Systems Lu s Soares Barbosa Architecture &amp; Calculi Course Unit Universidade do Minho Architecture &amp; Calculi Labelled Transition Systems Behavioural equivalences Composition Introduction to the Architecture

997 views • 36 slides

More recommend