On 28/09/2022 23:54, Ola Lundqvist wrote:
Hi Sylvain Took me a month to get down here in the email backlog. I think your reasoning makes sense. I have added the following to the LTS/Development page. "If a CVE has been fixed in Debian Stable it should, in general, be fixed in LTS as well, or marked as ignored. It does not make sense to have such CVEs marked as postponed or no-dsa since either the Debian Security team or the maintainer have decided that it was worth fixing." Please update that page if you think I was unclear or wrong.
I don't think that's correct. Say for example: Package foo has two CVEs: - CVE-2022-1234 of high severity, affecting stable - CVE-2022-5678 of minor severity, affecting stable and oldstable The sec-team fixes both.Now, what do we do? According to your reasoning, we should either do a DLA to fix a single minor issue, or mark it as ignored. I think marking it as postponed is the correct course of action here.
I can think of similar situations when a maintainer fixes a minor issue through a point release. It could be fixed or postponed, but there's no need to ignore it.
Cheers, Emilio