Hi Roberto You ask me what constitutes a minor issue. My first thought was that I do not really know. But after some thinking I know, it is just that I cannot express it. I'll think about it. I think we should have a guideline that we can review. I'll make a proposal.
But it has to be done after Easter. Now it is holiday time. :-) Cheers // Ola On Sun, 24 Mar 2024 at 01:59, Roberto C. Sánchez <robe...@debian.org> wrote: > On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote: > > > > I think we should clarify what we mean with "Minor issue". Is it what > is > > typically written as "(Minor issue)" after "<no-dsa>" statement or > > something else. > > I'm asking since it seems to be a common view that we should fix all > minor > > issues too. I do not agree to that, but others has expressed that > opinion. > > > Can you suggest what might be a useful statement or description of what > constitutes a minor issue? I ask because nothing comes to mind. There > are a multitude of factors and considerations that contribute to the > severity of an issue, that this seems to me like a clear example of the > sort of reason that regular LTS contributors are all experienced DD with > security-relevant experience. Each case is a matter of professional > judgment. > > > I think we should add that if LTS has an issue as no-dsa/postponed > and > > (old-)stable has it fixed, then we should add/keep the package to > > dla-needed (or decide to ignore in case it is too invasive) to ensure > LTS > > gets it fixed as well. At least that was the rule I concluded from the > > discussion and why I re-added a few packages back to dla-needed. > > This seems like something that we already do, or am I mistaken? As in, > when a Debian release becomes LTS, one of the things that we do is to > review the packages which have outstanding unfixed CVEs and triage them > for LTS. > > > I also think we should add that in the typical case (all > > no-dsa/postponed/ignored/fixed and they are few) this means that the > > package should be removed from dla-needed.txt. I think it has a merit, > > just to keep things tidy. > > In fact I think we should typically remove the package from > dla-needed if > > it should not have been added, with exceptions described above. > > If we end up moving to a workflow based on Salsa issues, then I think > that this will naturally occur. However, if we continue with a workflow > based primarily around dla-needed.txt I am not certain where we would > keep track of these packages which need work but perhaps not directly > for a DLA. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------