Re: Guidance for CVE triage and listing packages in dla-needed.txt

Hi Roberto

After first some thinking on what "constitutes a minor issue?" I did some research and realized that there is in fact a good classification in the Debian Security team list here:

https://security-team.debian.org/security_tracker.html#severity-levels

We have "unimportant", "low", "medium" and "high".

The ones classified as "high" are clearly things that warrant a DSA/DLA, so they should never be postponed in LTS.

We can discuss medium, I think they should in general give a DSA/DLA but with lower prio.

Then we need to discuss how to handle all the "low" severity issues we have. We are fixing a lot of them. I think these should in general be postponed or ignored. But that is my view. Sure fixing such can be good but I'm not sure the risk of regression outweighs the security gain by fixing them and also we can discuss whether it is worth fixing.

Related to this I think we should in fact start to use this severity classification more because the severity level will definitely help with the decision on which packages to fix first.

Cheers

// Ola

On Thu, 28 Mar 2024 at 23:50, Ola Lundqvist <ola@inguza.com> wrote:

Hi Roberto

You ask me what constitutes a minor issue. My first thought was that I do not really know. But after some thinking I know, it is just that I cannot express it.
I'll think about it. I think we should have a guideline that we can review. I'll make a proposal.

But it has to be done after Easter. Now it is holiday time. :-)

Cheers

// Ola

On Sun, 24 Mar 2024 at 01:59, Roberto C. Sánchez <roberto@debian.org> wrote:
On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote:
>
> I think we should clarify what we mean with "Minor issue". Is it what is
> typically written as "(Minor issue)" after "<no-dsa>" statement or
> something else.
> I'm asking since it seems to be a common view that we should fix all minor
> issues too. I do not agree to that, but others has expressed that opinion.
>
Can you suggest what might be a useful statement or description of what
constitutes a minor issue? I ask because nothing comes to mind. There
are a multitude of factors and considerations that contribute to the
severity of an issue, that this seems to me like a clear example of the
sort of reason that regular LTS contributors are all experienced DD with
security-relevant experience. Each case is a matter of professional
judgment.

> I think we should add that if LTS has an issue as no-dsa/postponed and
> (old-)stable has it fixed, then we should add/keep the package to
> dla-needed (or decide to ignore in case it is too invasive) to ensure LTS
> gets it fixed as well. At least that was the rule I concluded from the
> discussion and why I re-added a few packages back to dla-needed.

This seems like something that we already do, or am I mistaken? As in,
when a Debian release becomes LTS, one of the things that we do is to
review the packages which have outstanding unfixed CVEs and triage them
for LTS.

> I also think we should add that in the typical case (all
> no-dsa/postponed/ignored/fixed and they are few) this means that the
> package should be removed from dla-needed.txt. I think it has a merit,
> just to keep things tidy.
> In fact I think we should typically remove the package from dla-needed if
> it should not have been added, with exceptions described above.

If we end up moving to a workflow based on Salsa issues, then I think
that this will naturally occur. However, if we continue with a workflow
based primarily around dla-needed.txt I am not certain where we would
keep track of these packages which need work but perhaps not directly
for a DLA.

Regards,

-Roberto

--
Roberto C. Sánchez

--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------