Emilio Pozuelo Monfort wrote: > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point > release. The sec-team could be contacted to update that triaging, but that's > only ignored for (old)stable-security, not for (old)stable, where other > criteria applies. The reason following the ignored triaging may give some > more insight as to why it was ignored and why it may or may not make sense > to fix in a point release.
That's not in line with established practices, see https://security-team.debian.org/triage.html | Some packages should rather not be fixed at all, e.g. because the possible | benefit does not outweigh the risk/costs of an update, or because an update | is not possible (e.g. as it would introduce behavioural changes not appropriate | for a stable release). In the Security Tracker these are tracked with the | <ignored> state. Cheers, Moritz
