[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Removing no-dsa entries when releasing a DLA

On Thu, Nov 08, 2018 at 10:05:39AM +0100, Raphael Hertzog wrote:
> On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote:
> > On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote:
> > > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff:
> > > > Hi,
> > > > if you fix any issues which were formerly tagged <no-dsa> in a DLA, make sure
> > > > to remove the no-dsa in CVE/list as well, e.g. in the DLA-1568-1 for curl.
> > > 
> > > I was about to do that, as usual, but when someone else does it four
> > > minutes after I requested a DLA number and I still work on the commit,
> > > then there is not really anything what can be done about it. I suggest
> > > being a bit more patient in such cases.
> > 
> > Your's is just an arbitrary example, there's plenty of other cases where that
> > did not happen at all until Salvatore cleaned it up.
> Why is that even needed?

Otherwise they're still listed as no-dsa in the tracker.

> Can't we improve the security tracker to ignore
> those no-dsa tag when the CVE has been fixed? Or have some script to
> remove them automatically?

You could add code to bin/gen-D?A to strip existing no-dsa tags for CVE
ID passed to the script.

Until that exists, make sure to strip this manually.


Reply to: