Re: Guidance for CVE triage and listing packages in dla-needed.txt

To: debian-lts@lists.debian.org
Subject: Re: Guidance for CVE triage and listing packages in dla-needed.txt
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 23 Mar 2024 20:58:29 -0400
Message-id: <[🔎] Zf96tYIiPL-slAdj@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] CABY6=0=OZicLcabfZSaDMBg1WhGAfS2f4PV_MsZ0OraO2+HNTg@mail.gmail.com>
References: <[🔎] ZfNfu-vqni1jBLnH@connexer.com> <[🔎] CABY6=0=OZicLcabfZSaDMBg1WhGAfS2f4PV_MsZ0OraO2+HNTg@mail.gmail.com>

On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote:
> 
>    I think we should clarify what we mean with "Minor issue". Is it what is
>    typically written as "(Minor issue)" after "<no-dsa>" statement or
>    something else.
>    I'm asking since it seems to be a common view that we should fix all minor
>    issues too. I do not agree to that, but others has expressed that opinion.
>     
Can you suggest what might be a useful statement or description of what
constitutes a minor issue? I ask because nothing comes to mind. There
are a multitude of factors and considerations that contribute to the
severity of an issue, that this seems to me like a clear example of the
sort of reason that regular LTS contributors are all experienced DD with
security-relevant experience. Each case is a matter of professional
judgment.

>     I think we should add that if LTS has an issue as no-dsa/postponed and
>    (old-)stable has it fixed, then we should add/keep the package to
>    dla-needed (or decide to ignore in case it is too invasive) to ensure LTS
>    gets it fixed as well. At least that was the rule I concluded from the
>    discussion and why I re-added a few packages back to dla-needed.

This seems like something that we already do, or am I mistaken? As in,
when a Debian release becomes LTS, one of the things that we do is to
review the packages which have outstanding unfixed CVEs and triage them
for LTS.

>    I also think we should add that in the typical case (all
>    no-dsa/postponed/ignored/fixed and they are few) this means that the
>    package should be removed from dla-needed.txt. I think it has a merit,
>    just to keep things tidy.
>    In fact I think we should typically remove the package from dla-needed if
>    it should not have been added, with exceptions described above.

If we end up moving to a workflow based on Salsa issues, then I think
that this will naturally occur. However, if we continue with a workflow
based primarily around dla-needed.txt I am not certain where we would
keep track of these packages which need work but perhaps not directly
for a DLA.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Expanding the scope (slightly) of dla-needed.txt
Next by Date: Re: Expanding the scope (slightly) of dla-needed.txt
Previous by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Next by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Index(es):
- Date
- Thread