Hi, On Sun, Apr 13, 2025 at 04:06:38PM +0100, Samuel Henrique wrote: > Hello everyone, > > On Sun, 2 Mar 2025 at 20:26, Samuel Henrique <samuel...@debian.org> wrote: > > Just checking if you would have time to look into this. > > Sending another ping, this proposal is now 1 year old. > > For clarity, I'm not requesting the team to do any work here. I can work on > the > changes, I just need a decision on the solution. > > Personally, I have it as a high priority to cut down those 20% false-positive > CVEs reported for Debian containers, since a lot of official containers are > based on us, but this will also help non-container users. > > I'm hoping that sending this is fine, but let me know if I should have waited > more than a month from the previous message.
Yes it's fine that you do a ping on things which are of a priority for you. And just to be clear, the security-tracker is very important to me as well, in particular to enable our work ;-) I believe the changes should go in the direction I tried to hilight, or more concretely have a "nonissue" state, which still reflects correctly that the issue is there, but without any (practical) impact. That will make for instance moot the unimportant severity which only can be applied as whole to a source entry, but not to individual suite entries. I have not gone to all details of your proposal, but the high level view is IMHO as described in short above. For instance for the zlib isues that would then move the entries from the ignored (which is a substate of a no-dsa and apparently comercial security scanner are not willing to parse or adapt to) to the more narrowed down and specified substate of nonissue. In particular such a vunerability state could exactly reflect as well per suite entry in case the state changes between them. Hope this clarifies that you are not beeing ignored (heh ;-) no punt intended here :)), which is as well quite important to me to let you know. Regards, Salvatore
