[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What do do with bullseye minor issues?

On 28/09/2022 23:54, Ola Lundqvist wrote:
Hi Sylvain

Took me a month to get down here in the email backlog. I think your
reasoning makes sense.
I have added the following to the LTS/Development page.

"If a CVE has been fixed in Debian Stable it should, in general, be fixed
in LTS as well, or marked as ignored. It does not make sense to have such
CVEs marked as postponed or no-dsa since either the Debian Security team or
the maintainer have decided that it was worth fixing."
Please update that page if you think I was unclear or wrong.

I don't think that's correct. Say for example:

Package foo has two CVEs:

- CVE-2022-1234 of high severity, affecting stable
- CVE-2022-5678 of minor severity, affecting stable and oldstable

The sec-team fixes both.

Now, what do we do? According to your reasoning, we should either do a DLA to fix a single minor issue, or mark it as ignored. I think marking it as postponed is the correct course of action here.

I can think of similar situations when a maintainer fixes a minor issue through a point release. It could be fixed or postponed, but there's no need to ignore it.


Reply to: