Hi, On Fri, Aug 11, 2017 at 09:01:37PM +0200, Sébastien Delafond wrote: > After some discussion about what no-dsa really means, I've added 2 new > sub-states to the tracker, and they can be used as follows: > > CVE-2018-10012345 > - foo <unfixed> (bug #9876543) > [stretch] - shadow <postponed> (Minor issue, later) > [jessie] - shadow <postponed> (Minor issue, later) > [wheezy] - shadow <postponed> (Minor issue, later) > CVE-2018-10012346 > - foo <unfixed> (bug #9876542) > [stretch] - shadow <ignored> (maintainer choice) > [jessie] - shadow <ignored> (maintainer choice) > [wheezy] - shadow <ignored> (maintainer choice) > > The actual state will still be "no-dsa" in both cases, but hopefully the > sub-state clears things up as to *why* we chose no-dsa.
This is awesome and will make it much clearer why s.th. is actually no-dsa. We can now also go through postponed issues and check whether they actually got fixed in a point release. Cheers, -- Guido > > The per-issue web views does expose those sub-states, see for instance > libemail-address-perl[1] and cacti[2], and the status pages[3][4][5] > allow to filter on them (someone with actual web skills should probably > make it so that checking "include issues tagged <ignored/postponed>" > automatically checks "include issues tagged <no-dsa>"). > > Cheers, > > --Seb > > [1] > https://security-tracker.debian.org/tracker/source-package/libemail-address-perl > [2] https://security-tracker.debian.org/tracker/source-package/cacti > [3] https://security-tracker.debian.org/tracker/status/release/stable > [4] https://security-tracker.debian.org/tracker/status/release/oldstable > [5] https://security-tracker.debian.org/tracker/status/release/oldoldstable >
