On Wed, 3 Apr 2024 at 17:04, Gian Piero Carrubba <[email protected]> wrote: > > * [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique: > ># Alternative solutions: > >If we really want to distinguish the case when we don't produce any affected > >packages but the source contains the vulnerability (a build with different > >flags might result in an affected package), we can create a new tag to show > >this: not-affected-build-artifacts. > > This. Just marking the CVE as not-affected does not distinguish between > deb and deb-src, that are still part of (and shipped by) Debian.
On the proposed solution I also mention that we can use the "(free text comment)" section to indicate that, while sticking to "not-affected", this would simplify things as no new value is needed. But parsing the cases where only the sources contain the vulnerable code might be a bit harder. I'm curious though as to what is the usecase of that, no other Linux distribution specifies the case where only the source carries the vulnerability. What would be the need for this as a user? If this is a need you have, could you clarify it, please? Regards, -- Samuel Henrique <samueloph>
