Re: RFR: openscad update

[Helmut Grohne <helmut@subdivi.de>]

Hi Anton,

On Mon, Jun 27, 2022 at 09:12:11PM +0200, Anton Gladky wrote:
> Thus you can get an experience with dealing of such uploads. Anyway, for
> LTS we do not have any point releases. So basically it is possible to fix
> even those CVEs which are not DSA-considered. But for not-important issue
> it is better to pick up several issues (maybe together with some important
> ones) and make an upload.

I am having difficulties understanding the process then. I was assuming
that packages added to dla-needed.txt would need an update. If my
understanding of the process is correct, an unimportant issue should be
marked in data/CVE/list and not being added to dla-needed.txt in the
first place.

All of the openscad issues in all suites are input file format
sanitizing issues. To me, there's not much difference in their severity.
So on the surface, someone seems to have deemed them important, no?

> Leaving the package in dla-needed.txt without any action is not a good idea.
> Or the upload should be done with the fixes. Or CVEs should be tagged as
> <ignored> in tracker. In both cases the package should be removed from
> dla-needed.txt as well.

Given my confusion, I unclaimed the package and left a note saying that
it is no longer clear whether an update is needed and where a ported and
validated fix is to be found.

Helmut