Re: finding packages after no-dsa

[Ola Lundqvist <ola@inguza.com>]

Hi

Now I understand better. I thought postponed was used for updates in next point release. Now I understand the difference. In this case I think it would be good if it is more visible in the security tracker so people who update the package next time will not ignore it.

Best regards

// Ola

On 12 April 2018 at 16:11, Salvatore Bonaccorso <carnil@debian.org> wrote:

Hi

On Thu, Apr 12, 2018 at 03:44:36PM +0200, Ola Lundqvist wrote:
> I do not think we really have the possibility to postpone issues in LTS,
> right?

Sure, it is possible it's not different as for the security team. Say
src:a has issue CVE-2018-12345, this not warrant an immediate DLA, but
it's important enough to be fixed, and you want to make sure it's
fixed on the next update. With postponed you mark that on the next DLA
you want this fix to be included. You can mark it as well as <no-dsa>,
but the <postponed> is as sub-state of <no-dsa> explicitly introduced
to help find those no-dsa entries which still are worth on next DSA to
be included. Then wenn src:a has the next CVE open and you evaluate it
needs a DSA/DLA you pick that and you pick as well those which are
<postponed>, umkark them from <postponed> and prepare updates
including those CVE fixes which were previously postponed.

Regards,
Salvatore

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------