Guidance on <no-dsa> and adding entries to dsa/dla-needed.txt
Hello,
I'm in the process of reviewing open CVE in oldstable and deciding whether
it must be added to dla-needed.txt or not. I have multiple questions:
1/ is there a page on the security tracker that lists packages with
open vulnerabilities in stable/oldstable which are neither unimportant,
nor marked <no-dsa> and not present in dsa/dla-needed ? (I could not
find one)
Shall I file a wishlist request for this ?
2/ Since we decided early-on to mark squeeze as <no-dsa> when wheezy was
also marked as such, I wonder what I should do when no such decision
has been made yet (i.e. the package is not in dsa-needed.txt but the CVE
entry also doesn't have any <no-dsa> or unimportant tag). I would like
to have some guidelines on when it's appropriate to mark something as
<no-dsa> or when it's better to add it to dsa/dla-needed (apparently I
made a bad decision once already, since Moritz reverted
http://anonscm.debian.org/viewvc/secure-testing?view=revision&revision=28950)
This information is not available in
http://security-team.debian.org/security_tracker.html
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Reply to: