Re: Removing no-dsa entries when releasing a DLA
On Thu, Nov 08, 2018 at 10:05:39AM +0100, Raphael Hertzog wrote:
> On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote:
> > On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote:
> > > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff:
> > > > Hi,
> > > > if you fix any issues which were formerly tagged <no-dsa> in a DLA, make sure
> > > > to remove the no-dsa in CVE/list as well, e.g. in the DLA-1568-1 for curl.
> > >
> > > I was about to do that, as usual, but when someone else does it four
> > > minutes after I requested a DLA number and I still work on the commit,
> > > then there is not really anything what can be done about it. I suggest
> > > being a bit more patient in such cases.
> > Your's is just an arbitrary example, there's plenty of other cases where that
> > did not happen at all until Salvatore cleaned it up.
> Why is that even needed?
Otherwise they're still listed as no-dsa in the tracker.
> Can't we improve the security tracker to ignore
> those no-dsa tag when the CVE has been fixed? Or have some script to
> remove them automatically?
You could add code to bin/gen-D?A to strip existing no-dsa tags for CVE
ID passed to the script.
Until that exists, make sure to strip this manually.