[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LTS, no-dsa reasoning and sponsored packages

Am 16.04.19 um 09:17 schrieb Raphael Hertzog:
> Hi,
> On Mon, 08 Apr 2019, Markus Koschany wrote:
>> "Not used by any sponsor" is often used internally in commit messages as
>> an additional comment, reason and clarification why a certain issue is
> In commit message to which repository?
> I think you are mixing the ELTS security tracker here.

No, I don't.

>> marked no-dsa or ignored, mostly intended for those people who work on
>> LTS. Of course we always take into consideration how useful a fix is and
>> on what we should spend our time on. This should come to no surprise to
>> everyone who followed LTS in the past. Debian LTS is only possible
>> because of this sponsorship and of course it is part of Debian.
> FWIW, I agree fully with Salvatore that "Not used by any sponsor" is
> completely irrelevant for CVE triaging.
> It's relevant when paid LTS contributors have to select which packages
> they are going to work on, but it's not relevant to evaluate the
> importance of a CVE.
> (The story is very different for ELTS, obviously)

I think there is a big misunderstanding here. For instance I have
triaged edk2 which is a non-free package in Jessie. Normally we don't
support non-free but we make an exception when it is used by sponsors
like firmware-nonfree or unrar in the past. Thus when I write non-free
is not supported, not used by any sponsor I am clarifying that we should
not spend time on such a package. This was always our policy.

Also popcon value is a factor to consider for spending time on a fix.
When there are only 10 reported installations for a web application like
hoteldruid then we usually prioritize more important packages. Hence I
have sent an email to the maintainer of hoteldruid with our rationale
and asked him if he would like to work on the package in the meantime.

I don't agree with Salvatore's concerns and I find "Minor issue" far
less informative as a reasoning which the security team uses rather
often as a justification.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: