On Sat, 2017-01-28 at 16:09 +0200, Adrian Bunk wrote: > On Sat, Jan 28, 2017 at 01:20:00PM +0000, Niels Thykier wrote: > > * can-defer (serious bug, but not a blocker - could be fixed in via pu > > or a security upload) > > - This implies a "stretch-ignore". > > These are mostly CVE fixes, sometimes "no-dsa" in jessie. > > Deferring something now and doing a DSA later sounds wrong to me, > IMHO a "stretch-ignore" would imply that the security team is OK > with having that unfixed during the lifetime of stretch.
It's the workflow we've had for the past couple of releases at least and that was agreed with the Security Team. It may be what the -ignore implies to you, but it does not mean that the bug will not get fixed in stretch. Regards, Adam
