Re: Guidance on <no-dsa> and adding entries to dsa/dla-needed.txt
On Mon, Sep 22, 2014 at 02:30:17PM +0200, Raphael Hertzog wrote:
> Hello,
>
> I'm in the process of reviewing open CVE in oldstable and deciding whether
> it must be added to dla-needed.txt or not. I have multiple questions:
>
> 1/ is there a page on the security tracker that lists packages with
> open vulnerabilities in stable/oldstable which are neither unimportant,
> nor marked <no-dsa> and not present in dsa/dla-needed ? (I could not
> find one)
>
> Shall I file a wishlist request for this ?
Absolutely. We already discussed this at the last security team meeting,
but noone came around to implementing it.
> 2/ Since we decided early-on to mark squeeze as <no-dsa> when wheezy was
> also marked as such, I wonder what I should do when no such decision
> has been made yet (i.e. the package is not in dsa-needed.txt but the CVE
> entry also doesn't have any <no-dsa> or unimportant tag). I would like
> to have some guidelines on when it's appropriate to mark something as
> <no-dsa> or when it's better to add it to dsa/dla-needed (apparently I
> made a bad decision once already, since Moritz reverted
> http://anonscm.debian.org/viewvc/secure-testing?view=revision&revision=28950)
In such cases, it's probably best to send a short mail to team@security.debian.org
(with CC to debian-lts) suggesting that an issue is no-dsa for wheezy. In many
cases someone will already have made a first assessment, but not finalised it yet.
And a second opinion always helps.
Cheers,
Moritz
Reply to: