Re: What pain points exist in the current security-tracker structure?

To: Sylvain Beucler <beuc@beuc.net>
Cc: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: Re: What pain points exist in the current security-tracker structure?
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 26 Apr 2025 12:38:50 +0300
Message-id: <[🔎] aAypqqSXd8JmAyUO@localhost>
In-reply-to: <[🔎] fb97d7cd-de92-4458-958d-530a7c9161b1@beuc.net>
References: <[🔎] Z_IshuLdFNmGkTyx@localhost> <[🔎] fb97d7cd-de92-4458-958d-530a7c9161b1@beuc.net>

On Wed, Apr 23, 2025 at 09:38:47PM +0200, Sylvain Beucler wrote:
>...
> On 06/04/2025 09:25, Roberto C. Sánchez wrote:
> > As you go about tasks which require interacting with the security
> > tracker, what pain points exist for you?
> 
> One pain point that happened again today is the confusing terminology.
> 
> In particular:
> 
> - "no-dsa": every body gets confused by this: users, maintainers, LTS
> contributors.
> It's generally understood as "won't fix", while it can be fixed through
> other means than DSA (typically PU).

"should-be-fixed-in-pu" would be more exact, but also too long.

> In general, let's not name something using a negative.
> 
> Let's keep in mind that even among DDs/DMs the different security workflows
> aren't clear (DSA, PU), they usually only upload to unstable.
> 
> It gets even more confusing when the CVE eventually moves to LTS.
> 
> The fact that it has "sub-states" with postponed & ignored is unique in the
> tracker and brings further confusion.
> 
> "deferred" (as is: deferred from Debian Security Team to the rest of Debian:
> maintainers, release team, LTS team, etc.) may be better, though still
> unclear to a common Debian user.
> 
> Dropping "no-dsa" and only using "postponed" and "ignored" would be another
> proposal.
>...

Using "postponed" in stable is more confusing terminology than "no-dsa",
since "postponed" sounds even more as if it should not be fixed in pu.

Calling "ignored" a sub-state of "no-dsa" is confusing terminology.

"no-dsa" and "postponed" both mean that the CVE alone will never 
justify a DSA, but it should be fixed in pu (or as part of a DSA for 
other CVEs).

"ignored" means there is a good reason why the CVE should never
be fixed.[1]

I think what was intended was that "no-dsa" is the result of triaging 
only for severity, while "postponed"/"ignored" also includes a statement 
about the feasibility of fixing a "no-dsa" CVE.

After tagging "no-dsa" the security team does usually not look further 
at a CVE.

Calling "ignored" a sub-state is wrong in cases where a high-severity
CVE that would warrant a DSA/DLA is tagged "ignored" because backporting
a fix is not feasible.

The difference between stable and LTS is not only at the CVE level,
but also at the package level.

When after triaging all CVEs in a package a non-zero number has no tags
like "no-dsa", then a DSA should be issued.

A main difference is what happens otherwise, DLA has a higher threshold 
for issuing an update than pu.

When a package has 1 low-severity CVE a pu upload would still be 
appropriate, but a DLA might not be.

For 40 low-severity CVEs a DLA will usually be issued (but not a DSA).

> Cheers!
> Sylvain

cu
Adrian

[1] There are some "ignored" tags that should really be "no-dsa" 
    or "postponed", "<ignored> (Minor issue)" strikes me as wrong.

Reply to:

References:
- What pain points exist in the current security-tracker structure?
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: What pain points exist in the current security-tracker structure?
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: LTS meeting notes - April
Next by Date: Re: Review libsoup2.4 for bullseye
Previous by thread: Re: What pain points exist in the current security-tracker structure?
Next by thread: Re: What pain points exist in the current security-tracker structure?
Index(es):
- Date
- Thread