Re: finding packages after no-dsa
Hi
On Thu, Apr 12, 2018 at 03:44:36PM +0200, Ola Lundqvist wrote:
> I do not think we really have the possibility to postpone issues in LTS,
> right?
Sure, it is possible it's not different as for the security team. Say
src:a has issue CVE-2018-12345, this not warrant an immediate DLA, but
it's important enough to be fixed, and you want to make sure it's
fixed on the next update. With postponed you mark that on the next DLA
you want this fix to be included. You can mark it as well as <no-dsa>,
but the <postponed> is as sub-state of <no-dsa> explicitly introduced
to help find those no-dsa entries which still are worth on next DSA to
be included. Then wenn src:a has the next CVE open and you evaluate it
needs a DSA/DLA you pick that and you pick as well those which are
<postponed>, umkark them from <postponed> and prepare updates
including those CVE fixes which were previously postponed.
Regards,
Salvatore
Reply to: