Re: Guidance for CVE triage and listing packages in dla-needed.txt
On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote:
>
> I think we should clarify what we mean with "Minor issue". Is it what is
> typically written as "(Minor issue)" after "<no-dsa>" statement or
> something else.
> I'm asking since it seems to be a common view that we should fix all minor
> issues too. I do not agree to that, but others has expressed that opinion.
>
Can you suggest what might be a useful statement or description of what
constitutes a minor issue? I ask because nothing comes to mind. There
are a multitude of factors and considerations that contribute to the
severity of an issue, that this seems to me like a clear example of the
sort of reason that regular LTS contributors are all experienced DD with
security-relevant experience. Each case is a matter of professional
judgment.
> I think we should add that if LTS has an issue as no-dsa/postponed and
> (old-)stable has it fixed, then we should add/keep the package to
> dla-needed (or decide to ignore in case it is too invasive) to ensure LTS
> gets it fixed as well. At least that was the rule I concluded from the
> discussion and why I re-added a few packages back to dla-needed.
This seems like something that we already do, or am I mistaken? As in,
when a Debian release becomes LTS, one of the things that we do is to
review the packages which have outstanding unfixed CVEs and triage them
for LTS.
> I also think we should add that in the typical case (all
> no-dsa/postponed/ignored/fixed and they are few) this means that the
> package should be removed from dla-needed.txt. I think it has a merit,
> just to keep things tidy.
> In fact I think we should typically remove the package from dla-needed if
> it should not have been added, with exceptions described above.
If we end up moving to a workflow based on Salsa issues, then I think
that this will naturally occur. However, if we continue with a workflow
based primarily around dla-needed.txt I am not certain where we would
keep track of these packages which need work but perhaps not directly
for a DLA.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: