[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What do do with bullseye minor issues?


On 14/07/2022 23:49, Ola Lundqvist wrote:
During my front desk work I have now got down to the CVEs for buster
that are "postponed".
The triage script suggests me to "ignore" or "fix".
You mean this particular section:
"Issues postponed for <oldstable>, but already fixed in <stable> via DSA or point releases (to be fixed or <ignored>):"

There seem to be a misunderstanding between minor issues /in general/ (Anton's new ticket/discussion), and these very specific CVEs that are /already fixed/ in stable.

Since they are /already fixed/ in stable, we should either follow suit and fix them promptly in oldstable (for consistency with the maintainer and secteam's decision), or mark them <ignored> explaining why we won't. Keeping them <no-dsa> or <postponed> doesn't make sense, hence why the script reports it.
More info and rationale at:

Also let's note that "minor" in the tracker means "non-critical/non-urgent" (and not "trivial/unimportant"), i.e. not requiring active tracking and/or NMU from secteam (they leave it to the maintainer).

For minor issues /in general/, there's Anton's ticket/discussion:
which AFAIU addresses the opposite issue (fixing <no-dsa> that are /not fixed/ in stable).

In short, I believe the recommendation from lts-cve-triage.py is right.


Reply to: