Hi Sebastian,
On 10/27/25 13:40, Sebastian Pipping wrote:
Hello Stuart,
On 10/27/25 20:45, Stuart Henderson wrote:
On 2025/10/27 19:51, Sebastian Pipping wrote:
Also, fixes without a CVE will not be backported downstream.
That depends on the downstream.
I'm happy to learn which downstreams backport security issues
without a CVE, in practice. Do you have an example or two?
E.g. the Graphviz 2.40.1-3 update in Debian¹ appears to have cherry
picked bd97cff688f7a7b85b6f1262e14eb1cac0862fcd² that went into upstream
release 2.42.0. AFAIK the underlying issue never received a CVE.
Speaking as one of the upstream maintainers, there seems very little
logic to me as to which Graphviz patches get backported and which do
not. I suspect it is just whatever users file requests for.³ Ubuntu has
also started carrying some modified versions of Graphviz components
under the category “Ubuntu Pro”. The changes there seem to be
exclusively backported CVE fixes, so this supports the point that CVEs
carry some weight. OTOH as the Graphviz project is not a CNA nor
requests CVEs, the actual CVEs against Graphviz are just an arbitrary
subset of bugs fixed, so not really a useful thing to index on.
¹ Scroll down in
https://metadata.ftp-master.debian.org/changelogs//main/g/graphviz/graphviz_2.42.4-3_changelog
²
https://gitlab.com/graphviz/graphviz/-/commit/bd97cff688f7a7b85b6f1262e14eb1cac0862fcd
³ E.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075904
