Hi Roberto After first some thinking on what "constitutes a minor issue?" I did some research and realized that there is in fact a good classification in the Debian Security team list here: https://security-team.debian.org/security_tracker.html#severity-levels
We have "unimportant", "low", "medium" and "high". The ones classified as "high" are clearly things that warrant a DSA/DLA, so they should never be postponed in LTS. We can discuss medium, I think they should in general give a DSA/DLA but with lower prio. Then we need to discuss how to handle all the "low" severity issues we have. We are fixing a lot of them. I think these should in general be postponed or ignored. But that is my view. Sure fixing such can be good but I'm not sure the risk of regression outweighs the security gain by fixing them and also we can discuss whether it is worth fixing. Related to this I think we should in fact start to use this severity classification more because the severity level will definitely help with the decision on which packages to fix first. Cheers // Ola On Thu, 28 Mar 2024 at 23:50, Ola Lundqvist <o...@inguza.com> wrote: > Hi Roberto > > You ask me what constitutes a minor issue. My first thought was that I do > not really know. But after some thinking I know, it is just that I cannot > express it. > I'll think about it. I think we should have a guideline that we can > review. I'll make a proposal. > > But it has to be done after Easter. Now it is holiday time. :-) > > Cheers > > // Ola > > On Sun, 24 Mar 2024 at 01:59, Roberto C. Sánchez <robe...@debian.org> > wrote: > >> On Thu, Mar 14, 2024 at 11:39:41PM +0100, Ola Lundqvist wrote: >> > >> > I think we should clarify what we mean with "Minor issue". Is it >> what is >> > typically written as "(Minor issue)" after "<no-dsa>" statement or >> > something else. >> > I'm asking since it seems to be a common view that we should fix all >> minor >> > issues too. I do not agree to that, but others has expressed that >> opinion. >> > >> Can you suggest what might be a useful statement or description of what >> constitutes a minor issue? I ask because nothing comes to mind. There >> are a multitude of factors and considerations that contribute to the >> severity of an issue, that this seems to me like a clear example of the >> sort of reason that regular LTS contributors are all experienced DD with >> security-relevant experience. Each case is a matter of professional >> judgment. >> >> > I think we should add that if LTS has an issue as no-dsa/postponed >> and >> > (old-)stable has it fixed, then we should add/keep the package to >> > dla-needed (or decide to ignore in case it is too invasive) to >> ensure LTS >> > gets it fixed as well. At least that was the rule I concluded from >> the >> > discussion and why I re-added a few packages back to dla-needed. >> >> This seems like something that we already do, or am I mistaken? As in, >> when a Debian release becomes LTS, one of the things that we do is to >> review the packages which have outstanding unfixed CVEs and triage them >> for LTS. >> >> > I also think we should add that in the typical case (all >> > no-dsa/postponed/ignored/fixed and they are few) this means that the >> > package should be removed from dla-needed.txt. I think it has a >> merit, >> > just to keep things tidy. >> > In fact I think we should typically remove the package from >> dla-needed if >> > it should not have been added, with exceptions described above. >> >> If we end up moving to a workflow based on Salsa issues, then I think >> that this will naturally occur. However, if we continue with a workflow >> based primarily around dla-needed.txt I am not certain where we would >> keep track of these packages which need work but perhaps not directly >> for a DLA. >> >> Regards, >> >> -Roberto >> >> -- >> Roberto C. Sánchez >> >> > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
