Hi,
On 14/07/2022 23:49, Ola Lundqvist wrote:
> During my front desk work I have now got down to the CVEs for buster
> that are "postponed".
> The triage script suggests me to "ignore" or "fix".
You mean this particular section:
"Issues postponed for <oldstable>, but already fixed in <stable> via DSA
or point releases (to be fixed or <ignored>):"
There seem to be a misunderstanding between minor issues /in general/
(Anton's new ticket/discussion), and these very specific CVEs that are
/already fixed/ in stable.
Since they are /already fixed/ in stable, we should either follow suit
and fix them promptly in oldstable (for consistency with the maintainer
and secteam's decision), or mark them <ignored> explaining why we won't.
Keeping them <no-dsa> or <postponed> doesn't make sense, hence why the
script reports it.
More info and rationale at:
https://lists.debian.org/debian-lts/2022/04/msg00011.html
Also let's note that "minor" in the tracker means
"non-critical/non-urgent" (and not "trivial/unimportant"), i.e. not
requiring active tracking and/or NMU from secteam (they leave it to the
maintainer).
For minor issues /in general/, there's Anton's ticket/discussion:
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/38
which AFAIU addresses the opposite issue (fixing <no-dsa> that are /not
fixed/ in stable).
In short, I believe the recommendation from lts-cve-triage.py is right.
Cheers!
Sylvain