Hi, On 02/03/2020 06:53, Salvatore Bonaccorso wrote: > On Mon, Mar 02, 2020 at 01:57:05AM -0000, Chris Lamb wrote: >>> Internally they are all no-dsa states for the tracker. But think of it >>> of three "flavours" of no-dsa. >>> >>> For instance for postponed, we think that an update is woth of a DSA, >>> but it makes no sense to just release a DSA for it and the issue >>> should be tried to be included in a next update (be it DSA or even a >>> point release do not mather, but it has a stronger meaning that if a >>> future update is to be done then yes this needs to be included as well >>> if possible). >>> >>> The regular no-dsa is weker in in this regard. It just means, there is >>> no need or an update via security for it. It can be fixed for instance >>> via a point release *but* it is not expcluded that you can piggy-back >>> such a fix as well once a DSA worthy issue appear and you want to >>> issue a DSA/DLA. >>> >>> ignored is the stronges on the other part. It indicates from the >>> security-team perspective (or LTS team) we generally will not look >>> again at the issue (well expecptions can exists). It is a falvour of >>> no-dsa but meaning it even a future evaluation its likely just skiped. >> >> >> Ooh, this was very helpful; thank you. Indeed, can we get these very >> rough-and-ready definitions copy-pasted somewhere? >> >> However imprecise (and maybe just at first within the LTS pages, but >> whatever…) but I bet that would be very beneficial to new contributors >> and, well, to me too — I feel like there have been times in the past >> when I have not been as precise as I would have liked on the >> distinction between <ignored> and <no-dsa>, incorrectly thinking them >> to be essentially synonymous. > > Yes sure (fixing my obvious english grammar issues and typos). We have > a very "high level" view on this in [1], but it might make sense to > add some verbose explanation/outline on this on your repsective LTS > subpage where issue triage is documented. The most important bit is, I > think to explain they are basically all no-dsa, but "smell directions" > or flavours, with strongness on how the respective team will consider > they. > > [1] > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory
If we need to document/precise [1] in LTS documentation, I'd recommend sticking to <ignore|postponed> as much as possible, since no-dsa basically means triage is not complete. Cheers! Sylvain