Re: LTS, no-dsa reasoning and sponsored packages

To: Raphael Hertzog <hertzog@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: LTS, no-dsa reasoning and sponsored packages
From: Markus Koschany <apo@debian.org>
Date: Tue, 16 Apr 2019 14:15:59 +0200
Message-id: <[🔎] 5dbdfa23-a5e8-e5fb-8192-4fb6a34b34ac@debian.org>
In-reply-to: <[🔎] 20190416071746.GA11495@home.ouaza.com>
References: <[🔎] 20190408195119.GA27493@eldamar.local> <[🔎] 6be3a33c-4592-e881-e011-819ccac9258c@debian.org> <[🔎] 20190416071746.GA11495@home.ouaza.com>

Am 16.04.19 um 09:17 schrieb Raphael Hertzog:
> Hi,
> 
> On Mon, 08 Apr 2019, Markus Koschany wrote:
>> "Not used by any sponsor" is often used internally in commit messages as
>> an additional comment, reason and clarification why a certain issue is
> 
> In commit message to which repository?
> 
> I think you are mixing the ELTS security tracker here.

No, I don't.

> 
>> marked no-dsa or ignored, mostly intended for those people who work on
>> LTS. Of course we always take into consideration how useful a fix is and
>> on what we should spend our time on. This should come to no surprise to
>> everyone who followed LTS in the past. Debian LTS is only possible
>> because of this sponsorship and of course it is part of Debian.
> 
> FWIW, I agree fully with Salvatore that "Not used by any sponsor" is
> completely irrelevant for CVE triaging.
> 
> It's relevant when paid LTS contributors have to select which packages
> they are going to work on, but it's not relevant to evaluate the
> importance of a CVE.
> 
> (The story is very different for ELTS, obviously)

I think there is a big misunderstanding here. For instance I have
triaged edk2 which is a non-free package in Jessie. Normally we don't
support non-free but we make an exception when it is used by sponsors
like firmware-nonfree or unrar in the past. Thus when I write non-free
is not supported, not used by any sponsor I am clarifying that we should
not spend time on such a package. This was always our policy.

Also popcon value is a factor to consider for spending time on a fix.
When there are only 10 reported installations for a web application like
hoteldruid then we usually prioritize more important packages. Hence I
have sent an email to the maintainer of hoteldruid with our rationale
and asked him if he would like to work on the package in the meantime.

I don't agree with Salvatore's concerns and I find "Minor issue" far
less informative as a reasoning which the security team uses rather
often as a justification.

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- LTS, no-dsa reasoning and sponsored packages
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: LTS, no-dsa reasoning and sponsored packages
  - From: Markus Koschany <apo@debian.org>
- Re: LTS, no-dsa reasoning and sponsored packages
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Next by Date: April (E)LTS Report
Previous by thread: Re: LTS, no-dsa reasoning and sponsored packages
Next by thread: Re: LTS, no-dsa reasoning and sponsored packages
Index(es):
- Date
- Thread