Re: following or getting ahead of Stable
On Wed, Dec 11, 2024 at 04:33:20PM -0500, Roberto C. Sánchez wrote:
>
> In summary: let's not prepare DLAs for only one or two low priority CVEs
> (for the reasons discussed above), but let's certainly include the fixes
> when fixing other high priority CVEs. This should be fairly close to
> what we are already doing.
>
To further clarify: if there are "many"[0] low priority CVEs, then it
may still warrant fixing them all via a DLA (even without a high
priority CVE being present).
One example of this is qemu, which currently has ~30 CVEs affecting
bullseye. (Thanks to Santiago for pointing out this example.)
Quickly looking through them, there is enough there to warrant working
towards a qemu DLA, even without a higher priority CVE to drive that.
Regards,
-Roberto
[0] I purposefully used "many" rather than give a specific number. As
with much of what we do, there is judgment and professional opinion
involved. There are some instances where 6 CVEs might be sufficient to
warrant a DLA and other instances where 25 CVEs might be insufficient.
--
Roberto C. Sánchez
Reply to: