What do do with bullseye minor issues?

To: Debian LTS <debian-lts@lists.debian.org>
Subject: What do do with bullseye minor issues?
From: Ola Lundqvist <ola@inguza.com>
Date: Thu, 14 Jul 2022 23:49:57 +0200
Message-id: <[🔎] CABY6=0=LUy8d3jGSrgxwGoeo=fv8pQ=ONbS7yVca4eLEb_snkw@mail.gmail.com>

Hi fellow LTS contributors

During my front desk work I have now got down to the CVEs for buster
that are "postponed".
The triage script suggests me to "ignore" or "fix".
I know I should not change triaging status for buster, yet but I'm now
working on setting some best practices to use later on.

The question is what to do with them in general.

Here are some examples.

composer CVE-2022-24828
e2guardian CVE2021-44273
bullseye is fixed but I cannot find any trace of a DSA. This must mean
that it was fixed in a point release without a DSA. I have not
checked.
For buster it was marked as no-dsa (Minor issue). Note not proposed
for point release.
One of them was unaffected in stretch the other was also marked as
minor issue for stretch.

The security team have clearly indicated that this is a minor issue so
I guess it should not be added to dla-needed.

But what should I do? Should I (or rather some future front desk when
buster is LTS responsibility) change the status from no-dsa to
ignored?

Or should we change the lts-triage script to not tell that it should be ignored?

I'm asking since from earlier discussions we have said that we should
generally not mark issues as "ignored" unless we really should not fix
it, because of too intrusive change, backwards compatibility issues
and the like. Now our triaging script tells us that we should and that
is contradicting the earlier conclusions we had.

Anyone with good advice?

The other type is CVE-2021-28210 for edk2. It is marked as minor issue
for buster, but it was fixed in the scope of a DLA for stretch.

In this case I'm more inclined to add it to dla-needed with the
motivation that it was fixed in stretch and if someone upgrade the
system should not get worse from a security perspective.
Maybe we should automate the detection of this case in some way.

There are probably more, but now it is getting late for today so I
will continue checking tomorrow.

Cheers

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: What do do with bullseye minor issues?
  - From: Anton Gladky <gladk@debian.org>
- Re: What do do with bullseye minor issues?
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Marked three XEN CVEs as EOL
Next by Date: Changed lts-cve-triage.py
Previous by thread: Re: Marked three XEN CVEs as EOL
Next by thread: Re: What do do with bullseye minor issues?
Index(es):
- Date
- Thread