On Wed, Aug 26, 2015 at 02:47:42PM +0200, Raphael Hertzog wrote:
> On Tue, 25 Aug 2015, Santiago Ruano Rincón wrote:
> > > Thus it would be better if we fixed packages listed in dla-needed.txt
> > > even if the security team tagged the same issues as no-dsa afterwards.
> > >
> > > What do you think?
> >
> > I don't know. Is the no-dsa tag aimed to prioritize tasks or to avoid to
> > upload unworthy changes, especially on important packages?
> In general, I understand the "no-dsa" tag as, "would be nice to fix, but
> issue is not important enough to justifiy the workload it would impose on the
> security team".
It's mostly: "This doesn't warrant a DSA on it's own, but if we have a
DSA for something more severe in the future, we can fix it along."
Cheers,
Moritz
