On 03/08/2019 14:05, Markus Koschany wrote: > Am 03.08.19 um 10:55 schrieb Sylvain Beucler: > [...] >> When an early fix is more likely to introduce regressions than protect >> users from real-world attacks, don't we mark it as 'postponed'? > We only postpone a fix if there is a minor issue and it is not worth > fixing via a standalone update. Every fix has in theory the potential to > introduce a regression because we change something. The answer can't be > to stop fixing bugs but to evaluate the possible impact of a change and > if necessary correct the patch in another step. If the risk of a > regression outweighs the benefit of a fix we usually mark the CVE as > "ignored", e.g. when upstream introduces a new security option that > requires a lot of code refactoring but only improves the security for > non-default setups in rather uncommon scenarios.
That was more addressed at security-team@, I was just going your way to say that marking zip-bomb 'unimportant' just because it was likely to introduce important regressions conveyed the wrong message. - Sylvain