Hi, (the long block of text is from Salvatore and should probably still go to https://security-team.debian.org/security_tracker.html)
On Tue, Mar 03, 2020 at 08:45:36AM +0100, Ola Lundqvist wrote: > > On 02/03/2020 06:53, Salvatore Bonaccorso wrote: > > > On Mon, Mar 02, 2020 at 01:57:05AM -0000, Chris Lamb wrote: > > >>> Internally they are all no-dsa states for the tracker. But think of it > > >>> of three "flavours" of no-dsa. > > >>> > > >>> For instance for postponed, we think that an update is woth of a DSA, > > >>> but it makes no sense to just release a DSA for it and the issue > > >>> should be tried to be included in a next update (be it DSA or even a > > >>> point release do not mather, but it has a stronger meaning that if a > > >>> future update is to be done then yes this needs to be included as well > > >>> if possible). > > >>> > > >>> The regular no-dsa is weker in in this regard. It just means, there is > > >>> no need or an update via security for it. It can be fixed for instance > > >>> via a point release *but* it is not expcluded that you can piggy-back > > >>> such a fix as well once a DSA worthy issue appear and you want to > > >>> issue a DSA/DLA. > > >>> > > >>> ignored is the stronges on the other part. It indicates from the > > >>> security-team perspective (or LTS team) we generally will not look > > >>> again at the issue (well expecptions can exists). It is a falvour of > > >>> no-dsa but meaning it even a future evaluation its likely just skiped. > > >> Ooh, this was very helpful; thank you. Indeed, can we get these very > > >> rough-and-ready definitions copy-pasted somewhere? > We have this fairly well described here: > https://security-team.debian.org/security_tracker.html > Should that page be updated in some way? yes, and Salvatore already suggested this: > > > Yes sure (fixing my obvious english grammar issues and typos). We have > > > a very "high level" view on this in [1], but it might make sense to > > > add some verbose explanation/outline on this on your repsective LTS > > > subpage where issue triage is documented. The most important bit is, I > > > think to explain they are basically all no-dsa, but "smell directions" > > > or flavours, with strongness on how the respective team will consider > > > they. > > > > > > [1] > > > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory so, yes, if someone could update doc/security-team.d.o/security_tracker in security-tracker.git with above info from Salvatore, that would be awesome! -- cheers, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C There are no jobs on a dead planet.
signature.asc
Description: PGP signature
