On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote:
One solution which has been discussed in the past is to import a full copy
of stable towards stable-security at the beginning of each release cycle,
but that is currently not possible since security-master is a Ganeti VM
and the disk requireme
Emilio Pozuelo Monfort wrote:
> Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point
> release. The sec-team could be contacted to update that triaging, but that's
> only ignored for (old)stable-security, not for (old)stable, where other
> criteria applies. The reason followi
On Mon, Mar 18, 2024 at 01:13:15PM +0100, Emilio Pozuelo Monfort wrote:
> [ Adding debian-dak@ to Cc ]
> > One solution which has been discussed in the past is to import a full copy
> > of stable towards stable-security at the beginning of each release cycle,
> > but that is currently not possible
Hi Emilio
Yes, looks like it solves the problem as well.
// Ola
On Mon, 18 Mar 2024 at 13:14, Emilio Pozuelo Monfort
wrote:
> [ Adding debian-dak@ to Cc ]
>
> On 22/12/2023 09:54, Moritz Muehlenhoff wrote:
> > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> >> So let m
On Mon, Mar 18, 2024 at 01:01:28PM +0100, Emilio Pozuelo Monfort wrote:
> On 14/03/2024 21:36, Roberto C. Sánchez wrote:
> > - if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
> >security team should be contacted to see if they would be willing to
> >change to 'no-dsa' so t
On 23/06/2023 10:21, Moritz Muehlenhoff wrote:
But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147
It would be nice if that "unimportant" issues it would instea
[ Adding debian-dak@ to Cc ]
On 22/12/2023 09:54, Moritz Muehlenhoff wrote:
On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
So let me ask you: are you interested in addressing the infrastructure
limitations to handle those kind of packages? and having some help for
that?
On 14/03/2024 21:36, Roberto C. Sánchez wrote:
- if a CVE is 'fixed' in LTS but 'ignored' in (old)stable, then the
security team should be contacted to see if they would be willing to
change to 'no-dsa' so that a point release fix can be made
Small nitpick: a CVE 'ignored' for (old)stable
Hi,
On 17/03/2024 06:54, Sean Whitton wrote:
On Thu 14 Mar 2024 at 04:47pm -04, Roberto C. Sánchez wrote:
- it is important update the notes on packages in dla-needed.txt to
indicate what work has been done and what remains
I think that we should be also reviewing old notes and deleting t
