On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote: > Hi, > > On 11/12/2024 16:17, Adrian Bunk wrote: > > On Wed, Dec 11, 2024 at 11:05:10AM +0100, Sylvain Beucler wrote: > > > On 09/12/2024 18:55, Sylvain Beucler wrote: > > > > On 07/12/2024 04:10, Roberto C. Sánchez wrote: > > > > > The Security Team has supplied a list of packages/CVEs which were > > > > > fixed > > > > > by DLA (some in bullseye and some in buster) but which remain unfixed > > > > > in > > > > > bookworm (and which are tagged no-dsa, indicating that the Security > > > > > Team > > > > > has no immediate plans to address them). > > > > > > > > What is the general feeling/context over this situation? > > > > > > > > - Does LTS fix too many mid/low CVEs, hence should prevent this > > > > situation e.g. by avoiding fixing ahead of Stable? > > > > > > > > - Or, does LTS fixes CVEs appropriately, hence is encouraged to fix more > > > > CVEs, but always in all dists? > > > > > > For more context: at a point LTS got negative feedback from Debian about > > > making too frequent DLAs for low-priority CVEs (resulting in more > > > maintenance/restart work for sysadmins around the globe), and negative > > > feedback from Freexian about making such releases instead of handling > > > packages with more severity or age. > > > > > > Conversely, this thread is about fixing many low/mid-priority (no-dsa) > > > CVEs, > > > and not in LTS but in Stable. > > > > > > As a contributor, and as FD, I'm now unsure of what to include in DLAs. > > > ... > > > As FD I decided not to add it to dla-needed.txt, waiting for Stable action > > > to follow, e.g. a point-update. > > > ... > > > So is it welcome to fix those low-priority (DoS) CVEs or should we wait? > > > ... > > > > "avoiding fixing ahead of Stable" or "should we wait" gives a wrong > > impression of the options available. > > That's not really my question. >... > I was asking the coordinators really, to get a clearer direction, fine-tune > this middle ground,
But this has to be an immediate yes/no decision. My point was that "waiting for Stable action to follow, e.g. a point-update" is not a reasonable option. Where to put the border between "yes" and "no" is not something I commented on. > and possibly get secteam's general feeling on this (since > this is apparently at their initiative). >... My understanding is that they were providing a list of packages/CVEs where LTS contributors failed to submit fixes for DLA-fixed CVEs to bookworm-pu. That's a different topic. > Cheers! > Sylvain cu Adrian
