On 28/09/2022 23:54, Ola Lundqvist wrote:
Hi Sylvain
Took me a month to get down here in the email backlog. I think your
reasoning makes sense.
I have added the following to the LTS/Development page.
"If a CVE has been fixed in Debian Stable it should, in general, be fixed
in LTS as well, or marked as ignored. It does not make sense to have such
CVEs marked as postponed or no-dsa since either the Debian Security team or
the maintainer have decided that it was worth fixing."
Please update that page if you think I was unclear or wrong.
I don't think that's correct. Say for example:
Package foo has two CVEs:
- CVE-2022-1234 of high severity, affecting stable
- CVE-2022-5678 of minor severity, affecting stable and oldstable
The sec-team fixes both.
Now, what do we do? According to your reasoning, we should either do a DLA to
fix a single minor issue, or mark it as ignored. I think marking it as postponed
is the correct course of action here.
I can think of similar situations when a maintainer fixes a minor issue through
a point release. It could be fixed or postponed, but there's no need to ignore it.
Cheers,
Emilio