Hi Sylvain Took me a month to get down here in the email backlog. I think your reasoning makes sense. I have added the following to the LTS/Development page.
"If a CVE has been fixed in Debian Stable it should, in general, be fixed in LTS as well, or marked as ignored. It does not make sense to have such CVEs marked as postponed or no-dsa since either the Debian Security team or the maintainer have decided that it was worth fixing." Please update that page if you think I was unclear or wrong. Cheers // Ola On Tue, 26 Jul 2022 at 00:49, Sylvain Beucler <b...@beuc.net> wrote: > Hi, > > On 14/07/2022 23:49, Ola Lundqvist wrote: > > During my front desk work I have now got down to the CVEs for buster > > that are "postponed". > > The triage script suggests me to "ignore" or "fix". > You mean this particular section: > "Issues postponed for <oldstable>, but already fixed in <stable> via DSA > or point releases (to be fixed or <ignored>):" > > There seem to be a misunderstanding between minor issues /in general/ > (Anton's new ticket/discussion), and these very specific CVEs that are > /already fixed/ in stable. > > Since they are /already fixed/ in stable, we should either follow suit > and fix them promptly in oldstable (for consistency with the maintainer > and secteam's decision), or mark them <ignored> explaining why we won't. > Keeping them <no-dsa> or <postponed> doesn't make sense, hence why the > script reports it. > More info and rationale at: > https://lists.debian.org/debian-lts/2022/04/msg00011.html > > Also let's note that "minor" in the tracker means > "non-critical/non-urgent" (and not "trivial/unimportant"), i.e. not > requiring active tracking and/or NMU from secteam (they leave it to the > maintainer). > > > For minor issues /in general/, there's Anton's ticket/discussion: > https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/38 > which AFAIU addresses the opposite issue (fixing <no-dsa> that are /not > fixed/ in stable). > > > In short, I believe the recommendation from lts-cve-triage.py is right. > > Cheers! > Sylvain > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
