Re: LTS, no-dsa reasoning
On 10/04/2019 12:50, Sylvain Beucler wrote:
> Hi Salvatore,
>
> On 08/04/2019 22:18, Sylvain Beucler wrote:
>> On 08/04/2019 21:56, Holger Levsen wrote:
>>> On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
>>>> Recently I noticed that for a no-dsa (either for no-dsa or the
>>>> stronger ignored) as explanation was started to be used e.g. "not used
>>>> by any sponsor".
>> Firstly, as an aside, it seemed to me that <ignored> was not stronger,
>> but more precise than <no-dsa> (a "sub-state" as documented at
>> https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
>> ).
>> Let me know if you prefer we use <no-dsa>
>
> Ping? :)
It depends on the case. ignored is indeed more precise than no-dsa, because a
no-dsa issue can be fixed later (i.e. postponed). However the problem here
wasn't really the ignored vs postponed vs no-dsa tag, but the sponsorship note.
I agree with Salvatore here. An issue should be triaged as no-dsa (or any
substate) based on its own merits, i.e. ease of exploitation, code execution,
remote attack, etc. The sponsorship status is irrelevant there and doesn't
really add any meaningful information.
Cheers,
Emilio
Reply to: