Hi,
On 09/12/2024 18:55, Sylvain Beucler wrote:
On 07/12/2024 04:10, Roberto C. Sánchez wrote:
The Security Team has supplied a list of packages/CVEs which were fixed
by DLA (some in bullseye and some in buster) but which remain unfixed in
bookworm (and which are tagged no-dsa, indicating that the Security Team
has no immediate plans to address them).
What is the general feeling/context over this situation?
- Does LTS fix too many mid/low CVEs, hence should prevent this
situation e.g. by avoiding fixing ahead of Stable?
- Or, does LTS fixes CVEs appropriately, hence is encouraged to fix more
CVEs, but always in all dists?
For more context: at a point LTS got negative feedback from Debian about
making too frequent DLAs for low-priority CVEs (resulting in more
maintenance/restart work for sysadmins around the globe), and negative
feedback from Freexian about making such releases instead of handling
packages with more severity or age.
Conversely, this thread is about fixing many low/mid-priority (no-dsa)
CVEs, and not in LTS but in Stable.
As a contributor, and as FD, I'm now unsure of what to include in DLAs.
For instance, ruby*, which has 5-6 pending <no-dsa> CVEs about REXML:
https://security-tracker.debian.org/tracker/source-package/ruby3.1
https://security-tracker.debian.org/tracker/source-package/ruby2.7
As FD I decided not to add it to dla-needed.txt, waiting for Stable
action to follow, e.g. a point-update. The next FD made the opposite
decision and added it for immediate action. So is it welcome to fix
those low-priority (DoS) CVEs or should we wait?
I hope this provides more context to the question in my previous e-mail.
Cheers!
Sylvain
