Re: Guidance for CVE triage and listing packages in dla-needed.txt

[Moritz Muehlenhoff <jmm@inutil.org>]

Emilio Pozuelo Monfort wrote:
> Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point
> release. The sec-team could be contacted to update that triaging, but that's
> only ignored for (old)stable-security, not for (old)stable, where other
> criteria applies. The reason following the ignored triaging may give some
> more insight as to why it was ignored and why it may or may not make sense
> to fix in a point release.

That's not in line with established practices, see
https://security-team.debian.org/triage.html

| Some packages should rather not be fixed at all, e.g. because the possible
| benefit does not outweigh the risk/costs of an update, or because an update
| is not possible (e.g. as it would introduce behavioural changes not appropriate
| for a stable release). In the Security Tracker these are tracked with the
| <ignored> state.

Cheers,
        Moritz