Re: LTS, no-dsa reasoning and sponsored packages

[Raphael Hertzog <hertzog@debian.org>]

Hi,

On Mon, 08 Apr 2019, Markus Koschany wrote:
> "Not used by any sponsor" is often used internally in commit messages as
> an additional comment, reason and clarification why a certain issue is

In commit message to which repository?

I think you are mixing the ELTS security tracker here.

> marked no-dsa or ignored, mostly intended for those people who work on
> LTS. Of course we always take into consideration how useful a fix is and
> on what we should spend our time on. This should come to no surprise to
> everyone who followed LTS in the past. Debian LTS is only possible
> because of this sponsorship and of course it is part of Debian.

FWIW, I agree fully with Salvatore that "Not used by any sponsor" is
completely irrelevant for CVE triaging.

It's relevant when paid LTS contributors have to select which packages
they are going to work on, but it's not relevant to evaluate the
importance of a CVE.

(The story is very different for ELTS, obviously)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/