On Wed, Apr 12, 2023 at 10:58:15PM +0200, Salvatore Bonaccorso wrote:
> > - For python2.7, AFAIU you would be inclined to associate CVEs to that
> > package more often, for the duration of buster-lts, which would help a lot.
> > On the LTS side we'd like to associate all the past python3.x CVEs to
> > python2.7 (13 CVEs) and triage them accordingly (so we can easily compare
> > python2 and python3 status).
> > Would that be OK?
>
> >From my side no objection on that. If you do not hear a NACK, go ahead
> with it.
Yeah, that sounds fine.
> > - For gnupg1, we'd like to reference it in
> > debian-security-support/security-support-limited (or
> > security-support-endedXX).
> > Would that be OK?
>
> Inclided to say to add it to security-support-limited. The reference
> to the release notes might suffice as explanation, or you can be more
> verbose and reference #982258. It lists reasons for still keeping
> src:gnupg1 to handle specific usecases.
Ack.
Cheers,
Moritz
