Hi,
On 02/03/2020 06:53, Salvatore Bonaccorso wrote:
> On Mon, Mar 02, 2020 at 01:57:05AM -0000, Chris Lamb wrote:
>>> Internally they are all no-dsa states for the tracker. But think of it
>>> of three "flavours" of no-dsa.
>>>
>>> For instance for postponed, we think that an update is woth of a DSA,
>>> but it makes no sense to just release a DSA for it and the issue
>>> should be tried to be included in a next update (be it DSA or even a
>>> point release do not mather, but it has a stronger meaning that if a
>>> future update is to be done then yes this needs to be included as well
>>> if possible).
>>>
>>> The regular no-dsa is weker in in this regard. It just means, there is
>>> no need or an update via security for it. It can be fixed for instance
>>> via a point release *but* it is not expcluded that you can piggy-back
>>> such a fix as well once a DSA worthy issue appear and you want to
>>> issue a DSA/DLA.
>>>
>>> ignored is the stronges on the other part. It indicates from the
>>> security-team perspective (or LTS team) we generally will not look
>>> again at the issue (well expecptions can exists). It is a falvour of
>>> no-dsa but meaning it even a future evaluation its likely just skiped.
>>
>>
>> Ooh, this was very helpful; thank you. Indeed, can we get these very
>> rough-and-ready definitions copy-pasted somewhere?
>>
>> However imprecise (and maybe just at first within the LTS pages, but
>> whatever…) but I bet that would be very beneficial to new contributors
>> and, well, to me too — I feel like there have been times in the past
>> when I have not been as precise as I would have liked on the
>> distinction between <ignored> and <no-dsa>, incorrectly thinking them
>> to be essentially synonymous.
>
> Yes sure (fixing my obvious english grammar issues and typos). We have
> a very "high level" view on this in [1], but it might make sense to
> add some verbose explanation/outline on this on your repsective LTS
> subpage where issue triage is documented. The most important bit is, I
> think to explain they are basically all no-dsa, but "smell directions"
> or flavours, with strongness on how the respective team will consider
> they.
>
> [1] https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
If we need to document/precise [1] in LTS documentation, I'd recommend
sticking to <ignore|postponed> as much as possible, since no-dsa
basically means triage is not complete.
Cheers!
Sylvain