Hi, On 11/05/2023 17:22, Tobias Frost wrote:
nvidia-graphics-drivers-legacy-390xx is now uploaded, (tested with some old GTX770…) A procedural question: For the remaining CVE's (and those of nvidia-graphics-drivers), do I mark them "end-of-life" (e.g by saying in CVE/list: [buster] - nvidia-graphics-drivers <end-of-life> (EOL in buster LTS) or just ignore them?
I think <end-of-life> would work if it's documented in debian-security-support. Otherwise we can just continue to mark them <ignored>, which is also what the security team does, e.g.:
CVE-2022-42259 ... - nvidia-graphics-drivers-legacy-340xx <unfixed>[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
Cheers! Sylvain