Re: Fixing minor/unimportant issues via DLA on demand
On 20/03/2020 01:37, Utkarsh Gupta wrote:
> I was curious to know if we can (or rather, we should) fix some
> CVE(s), which has been marked minor/unimportant by the Security team
> or/and the person at front-desk, if there's a demand for it (meaning,
> some Jessie user requested it)?
> Or, if the maintainer (upstream or downstream or both) wants it to be
> fixed in Jessie?
These are 2 cases (request from Jessie user or from maintainer) that I
yet to see :)
Do you have a specific case in mind?
- minor: when marked no-dsa or postponed (no-dsa substate), usually
those are usually fixed later in batch, or along with a normal/major
security flaw, to avoid too many security updates (whose impact is not
neutral for users)
- unimportant: those are more rare and usually not fixed at all, because
they are not supposed to impact security in the context of our Debian