Re: Fixing minor/unimportant issues via DLA on demand

To: debian-lts@lists.debian.org
Subject: Re: Fixing minor/unimportant issues via DLA on demand
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 20 Mar 2020 13:03:01 +0100
Message-id: <[🔎] e4f4d335-6473-8b0c-1efd-75102cdc22d1@beuc.net>
In-reply-to: <[🔎] CAPP0f97Rhhni3FFifawmOsJBU928JmQCGxBZLmcLeQUPkFpSNA@mail.gmail.com>
References: <[🔎] CAPP0f97Rhhni3FFifawmOsJBU928JmQCGxBZLmcLeQUPkFpSNA@mail.gmail.com>

Hi,

On 20/03/2020 01:37, Utkarsh Gupta wrote:
> I was curious to know if we can (or rather, we should) fix some
> CVE(s), which has been marked minor/unimportant by the Security team
> or/and the person at front-desk, if there's a demand for it (meaning,
> some Jessie user requested it)?
> Or, if the maintainer (upstream or downstream or both) wants it to be
> fixed in Jessie?
These are 2 cases (request from Jessie user or from maintainer) that I
yet to see :)
Do you have a specific case in mind?

More generally:
- minor: when marked no-dsa or postponed (no-dsa substate), usually
those are usually fixed later in batch, or along with a normal/major
security flaw, to avoid too many security updates (whose impact is not
neutral for users)
- unimportant: those are more rare and usually not fixed at all, because
they are not supposed to impact security in the context of our Debian
package

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Fixing minor/unimportant issues via DLA on demand
  - From: Utkarsh Gupta <utkarsh@debian.org>

References:
- Fixing minor/unimportant issues via DLA on demand
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken
Next by Date: Re: Fixing minor/unimportant issues via DLA on demand
Previous by thread: Fixing minor/unimportant issues via DLA on demand
Next by thread: Re: Fixing minor/unimportant issues via DLA on demand
Index(es):
- Date
- Thread