Hi Lynoure, all Lynoure, thank you for your help. I have got the answers I need. Much appreciated!
Moritz, Lyonoure, for the future, is there any way I could have improved the questions in my initial email? I have re-read the CVEs quite a bit now and I do not see how I could have formulated myself much differently. To my knowledge there is no information in the security tracker whether there are plans to update the package or not and whether you would object to an upload. Just because it is marked as no-dsa does not mean that the package maintainer does not plan to do an update. All it means is that the security team will not take any further actions. There are plenty of cases when the maintainer does an update even if the security team has marked the CVE as no-dsa. The reason I sent this email was to make sure the LTS team does not do anything that you do not want us to do. In any case, thank you for your help. Now I know that there are no such plans and you would not object to the LTS team doing an update on stable/buster. This was exactly what I wanted to know. Best regards // Ola On Wed, 19 May 2021 at 17:03, Lynoure Braakman <lyno...@lynoure.net> wrote: > On 19/05/2021 09:38, Moritz Muehlenhoff wrote: > > Ola Lundqvist wrote: > >> I only briefly looked at the CVEs. > > > > If you haven't even looked the issues properly don't waste other > people's time. > > Seems things got a bit prickly here, so I'm seeing if I can do some > coordinating to make things a bit smoother. > > I believe that everyone involved, both you and Ola, had good motivations > behind their words. > > > I'm seeing the notes in the context of it being marked vulnerable (no > DSA) on buster: > > [buster] - firmware-nonfree <no-dsa> (Non-free not supported) > Short of details: > > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html > Per Intel, this was fixed by a firmware update. v49.0.1 of the > firmware is required. The new firmware requires a kernel patch > https://git.kernel.org/linus/c784e5249e773689e38d2bc1749f08b986621a26 > Firmware was added via > > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=c487f7dadcd21116613441ed355b764003b3f57b > > > Based on that, here are my takes Ola's questions might be: > 1) Too invasive for this issue, but it's nice give people enough > information to deal with this themselves > 2) Not really > 3) The treatment of this issue on buster and stretch would be best to be > kept consistent unless there are pressing reasons to do otherwise > > > Moritz, is that compatible to your take on this? > Ola, does this help you on this topic? > > > -- > Lynoure Braakman > > > > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
