Hi Mike, > I find that the below package / CVE states make front-desk life easy and > clear: > > - package has been claimed > - a CVE is tagged with <ignored> > - a CVE is tagged with <not-affected> > - a CVE is vulnerable > - a CVE is fixed Should we completely stop using <no-dsa> then? This makes sense for the security team, but is it useful in the LTS case? I'm not sure myself. I usually use no-dsa when a CVE is minor but I didn't take a final decision (ignore it/postpone it) yet (not enough time, no "need" to take a final decision, can be revisited). > The <postponed> tag is a bit of a dodgy statement here (it should be worked > upon, but later when some other more severe issue pops up for the same > package, or when some feedback is received, or when <what-ever>). > > So, a <postponed> tag can in fact mean anything. When being at front-desk > you have to dig into the details (security-tracker comments, older mailing > list threads, etc.) to understand the nature of individual <postponed> tags. > This is awkward IMHO. I don't think so. <postponed> entries don't have to be revisited unless new issues pop up for which we want to release a DLA. Most of the time when I tag <postponed> I mean "this is really minor, preparing an update just for that would be wasting our time. regression risks are very low though, so let's ship it in an future update". > Regarding imagemagick, CVE-2019-13308 and CVE-2019-13391 are postponed, > because upstream feedback is required. CVE-2019-14981 is postponed until > something more severe needs fixing. > > IMHO, CVE-2019-13308 and CVE-2019-13391 are a good reason for keeping > imagemagick in dla-needed.txt and also keeping it claimed by the person who > sent out the requests for feedback to upstream. Regarding CVE-2019-13308 and CVE-2019-13391, I meant "revisit these when preparing the next update, as of now I don't want to apply this undocumented, large, potentially incomplete patch". Also, the issue is uncritical, no hurry. We can just take a look at this when new issues pop up for imagemagick. This is borderline, so let's stop wasting time: we can keep a dla-needed entry with appropriate comments for both front desk and regular lts contributors. cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature