Hi Sylvain,
On Thu, Apr 06, 2023 at 05:54:08PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
>
> On 01/04/2023 21:31, Salvatore Bonaccorso wrote:
> > First a disclaimer, this probably needs further discussion, reflects
> > my current personal knowledge and view on the question, and further
> > feedback is appreciated by at least one other persion in the Debian
> > security team doing frequent CVE triage, I have in mind Moritz.
>
> Waiting for other security team members' input, I can clarify a couple
> points and propose a plan for action.
Still welcome.
> First I confirm that this is intended for LTS only; for ELTS we can just
> triage in the ELTS security tracker almost without interference.
Thanks a lot for confirming.
> - For python2.7, AFAIU you would be inclined to associate CVEs to that
> package more often, for the duration of buster-lts, which would help a lot.
> On the LTS side we'd like to associate all the past python3.x CVEs to
> python2.7 (13 CVEs) and triage them accordingly (so we can easily compare
> python2 and python3 status).
> Would that be OK?
>From my side no objection on that. If you do not hear a NACK, go ahead
with it.
> - For gnupg1, we'd like to reference it in
> debian-security-support/security-support-limited (or
> security-support-endedXX).
> Would that be OK?
Inclided to say to add it to security-support-limited. The reference
to the release notes might suffice as explanation, or you can be more
verbose and reference #982258. It lists reasons for still keeping
src:gnupg1 to handle specific usecases.
> - For sqlite, I believe LTS supports it as a dependency of
> yum<python-sqlite<libsqlite0.
> There are also direct use cases of the 'sqlite' CLI: for accessing v2
> databases, and migrate v2 databases to v3 (AFAICS).
Ok understand.
> So I'm more inclined to keep it supported for the duration of buster-lts
> (package was removed in later dists).
> What do you think?
The question is then probably: If kept supported, you would need to
check each of the sqlite affecting CVEs if they apply really to the
old code-base. In such a case, add
- sqlite <removed>
and triage it further for buster.
Regards,
Salvatore
