[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What do do with bullseye minor issues?

Hi Sylvain

Took me a month to get down here in the email backlog. I think your reasoning makes sense.
I have added the following to the LTS/Development page.

"If a CVE has been fixed in Debian Stable it should, in general, be fixed in LTS as well, or marked as ignored. It does not make sense to have such CVEs marked as postponed or no-dsa since either the Debian Security team or the maintainer have decided that it was worth fixing."
Please update that page if you think I was unclear or wrong.


// Ola

On Tue, 26 Jul 2022 at 00:49, Sylvain Beucler <beuc@beuc.net> wrote:

On 14/07/2022 23:49, Ola Lundqvist wrote:
> During my front desk work I have now got down to the CVEs for buster
> that are "postponed".
> The triage script suggests me to "ignore" or "fix".
You mean this particular section:
"Issues postponed for <oldstable>, but already fixed in <stable> via DSA
or point releases (to be fixed or <ignored>):"

There seem to be a misunderstanding between minor issues /in general/
(Anton's new ticket/discussion), and these very specific CVEs that are
/already fixed/ in stable.

Since they are /already fixed/ in stable, we should either follow suit
and fix them promptly in oldstable (for consistency with the maintainer
and secteam's decision), or mark them <ignored> explaining why we won't.
Keeping them <no-dsa> or <postponed> doesn't make sense, hence why the
script reports it.
More info and rationale at:

Also let's note that "minor" in the tracker means
"non-critical/non-urgent" (and not "trivial/unimportant"), i.e. not
requiring active tracking and/or NMU from secteam (they leave it to the

For minor issues /in general/, there's Anton's ticket/discussion:
which AFAIU addresses the opposite issue (fixing <no-dsa> that are /not
fixed/ in stable).

In short, I believe the recommendation from lts-cve-triage.py is right.


 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: