Hi again
One more thing. Should we have a statement about the fact that we do not
judge whether to ignore a package based on the number of users?
We only ignore in case it is not really feasible to backport without
breaking things.
Do we have any limit on how difficult it is allowed to be to back
Hi
I checked the four new CVEs and my conclusion is that the vulnerable code
is not present. I'm not 100% sure because the code is so extremely
different but I'm pretty sure about it. At least I cannot even grep for
"surrounding code" in the area where the fix is made.
Based on that I marked them
Hi Roberto
Thank you for the clarifications. I think we should add some more.
See below.
On Thu, 14 Mar 2024 at 21:37, Roberto C. Sánchez wrote:
> Hello everyone,
>
> After the recent discussions regarding triage decisions and the criteria
> for keeping packages in dla-needed.txt, I wanted to
Hello everyone,
I have discussed with Santiago the idea of whether we need to somewhat
expand the scope of dla-needed.txt.
In essence, we need to continue tracking packages as in-work in some
cases even after a DLA is released because we might be working with
secteam, (O)SRM, and/or the maintaine
Hello everyone,
After the recent discussions regarding triage decisions and the criteria
for keeping packages in dla-needed.txt, I wanted to provide some
guidance to help make matters more clear.
First, as to the matter of triaging individual CVEs:
- we prefer to see all CVEs fixed, absent good
