On Tue, May 18, 2021 at 09:38:30AM +1200, Andrew Bartlett wrote: > On Mon, 2021-05-17 at 22:17 +0200, Sylvain Beucler wrote: > > Hello Andrew, > > > > I read your message as well as > > https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2021-May/022771.html > > and I believe I can add a few more pointers, as part of the > > (separate) > > Debian Long Term Support (LTS) team. > > > > (I'm a bit confused because you're listed as a Debian package > > maintainer at https://packages.debian.org/sid/samba but I assume > > you're asking from upstream / Samba maintainers' point of view.) > > Yeah, I helped build the current monster, and try to help out when I > can, mostly in terms of advise, but I've increasingly stepped back. My > various Debian privileges, such as I had them, have expired and I > should probably be retired to 'lurker' status. > > > First "no-dsa" (and its sub-states ignored/postponed) is described > > at: > > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory > > Note that no-dsa usually means fixing the issue is not > > urgent/critical, > > needs not high-priority tracking/action from the Security Team, but > > the package maintainer(s) may track and prepare a fix nonetheless, > > e.g. through Debian's quarterly point releases (10.x). > > Likewise, I read "Minor issue" as "non-critical". > > > > By contrast, "unimportant" is a lesser severity state, and matching > > CVEs will likely never be fixed due to inapplicability in Debian or > > questionable security relevance. > > Can you clarify the mapping between "Minor issue"/"non-critical" and > the Severity levels table? Samba generally only issues a CVE for > things that are "medium" or above.
You mean the NVD severities? We do not use those values for deciding the Debian specific assessment if an issue warrants a DSA or not, but the tracker displays them them as part of fetching the NVD data. Regards, Salvatore
