Re: security upload imposing load on other parts of Debian

["Chris Lamb" <lamby@debian.org>]

Hi Salvatore,

> Internally they are all no-dsa states for the tracker. But think of it
> of three "flavours" of no-dsa. 
> 
> For instance for postponed, we think that an update is woth of a DSA,
> but it makes no sense to just release a DSA for it and the issue
> should be tried to be included in a next update (be it DSA or even a
> point release do not mather, but it has a stronger meaning that if a
> future update is to be done then yes this needs to be included as well
> if possible). 
> 
> The regular no-dsa is weker in in this regard. It just means, there is
> no need or an update via security for it. It can be fixed for instance
> via a point release *but* it is not expcluded that you can piggy-back
> such a fix as well once a DSA worthy issue appear and you want to
> issue a DSA/DLA.
> 
> ignored is the stronges on the other part. It indicates from the
> security-team perspective (or LTS team) we generally will not look
> again at the issue (well expecptions can exists). It is a falvour of
> no-dsa but meaning it even a future evaluation its likely just skiped.


Ooh, this was very helpful; thank you. Indeed, can we get these very
rough-and-ready definitions copy-pasted somewhere?

However imprecise (and maybe just at first within the LTS pages, but
whatever…) but I bet that would be very beneficial to new contributors
and, well, to me too — I feel like there have been times in the past
when I have not been as precise as I would have liked on the
distinction between <ignored> and <no-dsa>, incorrectly thinking them
to be essentially synonymous.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-