[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security upload imposing load on other parts of Debian

Hi Chris,

On Mon, Mar 02, 2020 at 01:57:05AM -0000, Chris Lamb wrote:
> Hi Salvatore,
> 
> > Internally they are all no-dsa states for the tracker. But think of it
> > of three "flavours" of no-dsa. 
> > 
> > For instance for postponed, we think that an update is woth of a DSA,
> > but it makes no sense to just release a DSA for it and the issue
> > should be tried to be included in a next update (be it DSA or even a
> > point release do not mather, but it has a stronger meaning that if a
> > future update is to be done then yes this needs to be included as well
> > if possible). 
> > 
> > The regular no-dsa is weker in in this regard. It just means, there is
> > no need or an update via security for it. It can be fixed for instance
> > via a point release *but* it is not expcluded that you can piggy-back
> > such a fix as well once a DSA worthy issue appear and you want to
> > issue a DSA/DLA.
> > 
> > ignored is the stronges on the other part. It indicates from the
> > security-team perspective (or LTS team) we generally will not look
> > again at the issue (well expecptions can exists). It is a falvour of
> > no-dsa but meaning it even a future evaluation its likely just skiped.
> 
> 
> Ooh, this was very helpful; thank you. Indeed, can we get these very
> rough-and-ready definitions copy-pasted somewhere?
> 
> However imprecise (and maybe just at first within the LTS pages, but
> whatever…) but I bet that would be very beneficial to new contributors
> and, well, to me too — I feel like there have been times in the past
> when I have not been as precise as I would have liked on the
> distinction between <ignored> and <no-dsa>, incorrectly thinking them
> to be essentially synonymous.

Yes sure (fixing my obvious english grammar issues and typos). We have
a very "high level" view on this in [1], but it might make sense to
add some verbose explanation/outline on this on your repsective LTS
subpage where issue triage is documented. The most important bit is, I
think to explain they are basically all no-dsa, but "smell directions"
or flavours, with strongness on how the respective team will consider
they.

Hope this helps!

Regards,
Salvatore

 [1] https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
Reply to: