Am 03.08.19 um 10:55 schrieb Sylvain Beucler: [...] > When an early fix is more likely to introduce regressions than protect > users from real-world attacks, don't we mark it as 'postponed'? We only postpone a fix if there is a minor issue and it is not worth fixing via a standalone update. Every fix has in theory the potential to introduce a regression because we change something. The answer can't be to stop fixing bugs but to evaluate the possible impact of a change and if necessary correct the patch in another step. If the risk of a regression outweighs the benefit of a fix we usually mark the CVE as "ignored", e.g. when upstream introduces a new security option that requires a lot of code refactoring but only improves the security for non-default setups in rather uncommon scenarios. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature