[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What do do with bullseye minor issues?

Thank you. Added a comment on this.

// Ola

On Fri, 15 Jul 2022 at 06:18, Anton Gladky <gladk@debian.org> wrote:
>
> Hi Ola,
>
> thanks for rising this very important question.
>
> Please use this ticket [1] for the discussion. So we will
> be able to formulate the common position and put everything
> into the documentation.
>
> [1] https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/38
>
> Regards
>
> Anton
>
>
>
> Am Do., 14. Juli 2022 um 23:50 Uhr schrieb Ola Lundqvist <ola@inguza.com>:
>>
>> Hi fellow LTS contributors
>>
>> During my front desk work I have now got down to the CVEs for buster
>> that are "postponed".
>> The triage script suggests me to "ignore" or "fix".
>> I know I should not change triaging status for buster, yet but I'm now
>> working on setting some best practices to use later on.
>>
>> The question is what to do with them in general.
>>
>> Here are some examples.
>>
>> composer CVE-2022-24828
>> e2guardian CVE2021-44273
>> bullseye is fixed but I cannot find any trace of a DSA. This must mean
>> that it was fixed in a point release without a DSA. I have not
>> checked.
>> For buster it was marked as no-dsa (Minor issue). Note not proposed
>> for point release.
>> One of them was unaffected in stretch the other was also marked as
>> minor issue for stretch.
>>
>> The security team have clearly indicated that this is a minor issue so
>> I guess it should not be added to dla-needed.
>>
>> But what should I do? Should I (or rather some future front desk when
>> buster is LTS responsibility) change the status from no-dsa to
>> ignored?
>>
>> Or should we change the lts-triage script to not tell that it should be ignored?
>>
>> I'm asking since from earlier discussions we have said that we should
>> generally not mark issues as "ignored" unless we really should not fix
>> it, because of too intrusive change, backwards compatibility issues
>> and the like. Now our triaging script tells us that we should and that
>> is contradicting the earlier conclusions we had.
>>
>> Anyone with good advice?
>>
>> The other type is CVE-2021-28210 for edk2. It is marked as minor issue
>> for buster, but it was fixed in the scope of a DLA for stretch.
>>
>> In this case I'm more inclined to add it to dla-needed with the
>> motivation that it was fixed in stretch and if someone upgrade the
>> system should not get worse from a security perspective.
>> Maybe we should automate the detection of this case in some way.
>>
>> There are probably more, but now it is getting late for today so I
>> will continue checking tomorrow.
>>
>> Cheers
>>
>> // Ola
>>
>> --
>>  --- Inguza Technology AB --- MSc in Information Technology ----
>> |  ola@inguza.com                    opal@debian.org            |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>>  ---------------------------------------------------------------
>>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: