Re: Guidance for CVE triage and listing packages in dla-needed.txt

[Ola Lundqvist <ola@inguza.com>]

Hi Roberto

You ask me what constitutes a minor issue. My first thought was that I do not really know. But after some thinking I know, it is just that I cannot express it.

I'll think about it. I think we should have a guideline that we can review. I'll make a proposal.

But it has to be done after Easter. Now it is holiday time. :-)

Cheers

// Ola

On Sun, 24 Mar 2024 at 01:59, Roberto C. Sánchez <roberto@debian.org> wrote:

On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote:
>
>    I think we should clarify what we mean with "Minor issue". Is it what is
>    typically written as "(Minor issue)" after "<no-dsa>" statement or
>    something else.
>    I'm asking since it seems to be a common view that we should fix all minor
>    issues too. I do not agree to that, but others has expressed that opinion.
>     
Can you suggest what might be a useful statement or description of what
constitutes a minor issue? I ask because nothing comes to mind. There
are a multitude of factors and considerations that contribute to the
severity of an issue, that this seems to me like a clear example of the
sort of reason that regular LTS contributors are all experienced DD with
security-relevant experience. Each case is a matter of professional
judgment.

>     I think we should add that if LTS has an issue as no-dsa/postponed and
>    (old-)stable has it fixed, then we should add/keep the package to
>    dla-needed (or decide to ignore in case it is too invasive) to ensure LTS
>    gets it fixed as well. At least that was the rule I concluded from the
>    discussion and why I re-added a few packages back to dla-needed.

This seems like something that we already do, or am I mistaken? As in,
when a Debian release becomes LTS, one of the things that we do is to
review the packages which have outstanding unfixed CVEs and triage them
for LTS.

>    I also think we should add that in the typical case (all
>    no-dsa/postponed/ignored/fixed and they are few) this means that the
>    package should be removed from dla-needed.txt. I think it has a merit,
>    just to keep things tidy.
>    In fact I think we should typically remove the package from dla-needed if
>    it should not have been added, with exceptions described above.

If we end up moving to a workflow based on Salsa issues, then I think
that this will naturally occur. However, if we continue with a workflow
based primarily around dla-needed.txt I am not certain where we would
keep track of these packages which need work but perhaps not directly
for a DLA.

Regards,

-Roberto

--
Roberto C. Sánchez

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------