On Wed, 28 May 2025 at 20:49, Sylvain Beucler <beuc@beuc.net> wrote:
I wonder if the problem is a matter of package priority, rather than
no-dsa itself.
That's what it looks to me, from the outside.
I think all distributions out there are defaulting to not fixing lows and
moderates for releases >5 years old, exception being when a user requests.
Fixing a single no-dsa for a single python update isn't fine, because we
don't want many DLAs and spam the sysadmins worlwide. This can be postponed.
I don't think sysadmins ever get concerned about too many CVE fixes, they tend
to actually reduce the spam they get from the scanning solutions, but I overall
agree with your other points.
I've got the feeling that many contributors pick updates in
xla-needed.txt without checking their priority in ./find-work. All the
planned work to fine-tune package priority using CVE severities won't be
useful if contributors never check the package priorities.
It would be sane; less risky and more clear to users, to state something like
"ELTS will default to only fixing DSA-worthy vulnerabilities, users can
request fixes". Other vulnerabilities can also be fixed, but the prioritization
can come from somewhere else, e.g.: key package or user request.