[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LTS, no-dsa reasoning and sponsored packages



Hi Sylvain,

On Mon, Apr 08, 2019 at 10:18:08PM +0200, Sylvain Beucler wrote:
> Hi,
> 
> On 08/04/2019 21:56, Holger Levsen wrote:
> > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote:
> >> Recently I noticed that for a no-dsa (either for no-dsa or the
> >> stronger ignored) as explanation was started to be used e.g. "not used
> >> by any sponsor".
> 
> That sounds related to my triage of libpodofo today.

It was at least the trigger for my mail ;-)

> Firstly, as an aside, it seemed to me that <ignored> was not stronger,
> but more precise than <no-dsa> (a "sub-state" as documented at
> https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
> ).
> Let me know if you prefer we use <no-dsa>

Yep I know about the sub-state distinction. What I meant with stronger
can maybe been illustrated as follows: while a issue marked as no-dsa
might be reconsidered, postponed defintively to be looked at at next
update we want to have for a specific source package, ignored is
stronger in the sense, we likely are going not to look at this anymore
from security team point of view (well one can always reconsider, but
let's say that is the intetion at the point when someone adds the
entry in the list for  specific CVE and suite). Does not mean cannot
be fixed, but somehow goes down on the radar. Anyway, but that was not
the main point. I raised the concern about the 'not used by any
sponsors' part.  Using the appropriate substate as needed is fine, so
whatever it will be for the respective entry, either no-dsa, postponed
or ignored for the respective triage.

> >> If LTS is meant as Debian project, then I would suggest not to start
> >> to use those formulations, which I think are fine for ELTS, which is a
> >> dedicated project not on Debian directly. Saying something is not DSA
> >> worthy or is going to be ignored, because it's not used by a LTS
> >> sponsor will give a signal to others that indeed, Debian LTS is not a
> >> generic Debian project.
> > thanks for bringing this up. FWIW, I agree with you.
> Secondly, being my first go at triaging, I looked at past triages, and
> the first occurrence of "not used by any sponsor" is from last August,
> so I believed that was a good reason to document it as an additional
> reason (the main reason being it's a caught exception / basic DoS, not a
> crash with memory overwrite & cie, plus a low popcon for Jessie).
> 
> But I'll leave that out from now on.
> 
> 
> >> Just stick to "Minor issue" in such cases if something is not DSA
> >> worthy because the issue is minor, but do not make it depdendent on if
> >> a paying LTS sponsor is using it or not.
> > (or dont mark it "Minor issue" if it's not minor. This should also
> > hopefully make it more likely someone picks it up as a volunteer efford,
> > eg when proofing one is captable of lts work...)
> 
> FWIW I like when we justify why it is minor.

Sure, I really wanted to hilight the 'not used by any sponsor' part.
It is perfectly fine to write more there, not just minor issue, and
give some concise reasoning on why something is no-dsa, ignored or
postponed. Just try to keep it coincise (or other worded not let it
become a novel).

Hope this helps,

Regards,
Salvatore


Reply to: