Hi, On 11/12/2024 18:11, Adrian Bunk wrote:
On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote:On 11/12/2024 16:17, Adrian Bunk wrote: and possibly get secteam's general feeling on this (since this is apparently at their initiative). ...My understanding is that they were providing a list of packages/CVEs where LTS contributors failed to submit fixes for DLA-fixed CVEs to bookworm-pu.
If that's the case, then it's all fine.Seen from a different angle though: maybe LTS contributors shouldn't have fixed those low-severity CVEs in the first place. Maybe those weren't worth a fix. But once they are fixed in LTS, by fixing all other dists for consistency reasons, we may unnecessarily increase the workload on Debian and LTS, and the risk of regression.
One (old) example: DLA-2602-1 fixed many UBSAN-based low-severity CVEs in imagemagick, bringing 24 more backports on top of the 200+ already present.
Maybe Debian welcomes this kind of fixes, or maybe it considers this an annoyance. (when following Stable we're sure it's welcome.) That's what I've been trying to figure out in this thread, I hope this is clearer.
Cheers! Sylvain