Documentation for the new <undetermined> tag
Hi all,
I have implemented support for a new tag in the tracker called
<undetermined>. The purpose of this tag is to describe the state of an
issue that you are fairly certain applies to a specific package, but
you have not had enough time (or there is not yet enough information)
to be be confident in applying <unfixed>, fixed, or any of the other
currently available statuses to the entry. This, for example, allows
you to pass the burden on to the maintainer while also keeping track
of it it. This is primarily intended for ill-defined, very new, and
massive issues.
If you are confident that an issue is fixed in a specific version, or
that it is known <unfixed>, then <undetermined> wouldn't be the right
status. Please continue to use the appropriate status when you have
confidence in the state. If you know that an issue is fixed, but you
don't know which specific version the fix is applied, you could also use
<undetermined>, but that it should not be treated as a permanent
state. You should come back and determine the fixed version.
This tag creates a third status in the security tracker sqlite
database, called undetermined. Previously there were only two valid
statuses: vulnerable and fixed.
For every CVE that has a source package with an <undetermined> tag, the
tracker will now state that the status is undetermined for that source
package and its associated binary packages on the CVE page. It will
also state that the package "may be vulnerable" for each individual
release where that is appropriate. If an urgency has not yet been
specified in the CVE list, an undetermined urgency is automatically
assigned, it is displayed normally with the entered urgency.
For debsecan, undetermined issues are presently listed without an
urgency (as if there issue were unfixed with no urgency included in
the CVE list). This is not ideal, and should probably be improved in the
future given the time to implement that.
Any questions or feedback, please let me know.
Best wishes,
Mike
Reply to: