Hi, On Wed, 10 Apr 2024, Ola Lundqvist wrote: > > Some package maintainers will typically decide to fix it via a point > > release. But they rarely update the triaging to document "postponed" or > > "ignored". So that's why it's up to the LTS team to make that call > > when we are (alone) in charge of a given release. > > This is a good point. I had missed that package maintainers do not > update the security tracker. Can we have tools to help us with this?
FWIW the Debian package tracker highlight no-dsa CVE to handle and point package maintainers to those instructions: https://security-team.debian.org/triage.html Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hert...@debian.org> ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
