Hi We have this fairly well described here: https://security-team.debian.org/security_tracker.html
Should that page be updated in some way? // Ola On Mon, 2 Mar 2020 at 11:11, Sylvain Beucler <b...@beuc.net> wrote: > Hi, > > On 02/03/2020 06:53, Salvatore Bonaccorso wrote: > > On Mon, Mar 02, 2020 at 01:57:05AM -0000, Chris Lamb wrote: > >>> Internally they are all no-dsa states for the tracker. But think of it > >>> of three "flavours" of no-dsa. > >>> > >>> For instance for postponed, we think that an update is woth of a DSA, > >>> but it makes no sense to just release a DSA for it and the issue > >>> should be tried to be included in a next update (be it DSA or even a > >>> point release do not mather, but it has a stronger meaning that if a > >>> future update is to be done then yes this needs to be included as well > >>> if possible). > >>> > >>> The regular no-dsa is weker in in this regard. It just means, there is > >>> no need or an update via security for it. It can be fixed for instance > >>> via a point release *but* it is not expcluded that you can piggy-back > >>> such a fix as well once a DSA worthy issue appear and you want to > >>> issue a DSA/DLA. > >>> > >>> ignored is the stronges on the other part. It indicates from the > >>> security-team perspective (or LTS team) we generally will not look > >>> again at the issue (well expecptions can exists). It is a falvour of > >>> no-dsa but meaning it even a future evaluation its likely just skiped. > >> > >> > >> Ooh, this was very helpful; thank you. Indeed, can we get these very > >> rough-and-ready definitions copy-pasted somewhere? > >> > >> However imprecise (and maybe just at first within the LTS pages, but > >> whatever…) but I bet that would be very beneficial to new contributors > >> and, well, to me too — I feel like there have been times in the past > >> when I have not been as precise as I would have liked on the > >> distinction between <ignored> and <no-dsa>, incorrectly thinking them > >> to be essentially synonymous. > > > > Yes sure (fixing my obvious english grammar issues and typos). We have > > a very "high level" view on this in [1], but it might make sense to > > add some verbose explanation/outline on this on your repsective LTS > > subpage where issue triage is documented. The most important bit is, I > > think to explain they are basically all no-dsa, but "smell directions" > > or flavours, with strongness on how the respective team will consider > > they. > > > > [1] > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory > > If we need to document/precise [1] in LTS documentation, I'd recommend > sticking to <ignore|postponed> as much as possible, since no-dsa > basically means triage is not complete. > > Cheers! > Sylvain > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
