Re: Guidance for CVE triage and listing packages in dla-needed.txt

To: Ola Lundqvist <ola@inguza.com>
Cc: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: Re: Guidance for CVE triage and listing packages in dla-needed.txt
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 11 Apr 2024 08:57:33 +0200
Message-id: <[🔎] ZheJ3XF3x_6qmzKa@t14-buxy.home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Ola Lundqvist <ola@inguza.com>, Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] CABY6=0m+_5gpAH7GDdBsJpcGqZMbFG+si-MUkbhr2ZtjNwrPfQ@mail.gmail.com>
References: <ZfNfu-vqni1jBLnH@connexer.com> <CABY6=0=OZicLcabfZSaDMBg1WhGAfS2f4PV_MsZ0OraO2+HNTg@mail.gmail.com> <Zf96tYIiPL-slAdj@connexer.com> <CABY6=0khY6yQRNyjhP3kJgdop3w56LDS0-TzgmB3F0FiKazaXg@mail.gmail.com> <[🔎] CABY6=0==fO4g+G2j4uFgjDm-dOJsjxqa8-yn96+G0Y0kN04WsQ@mail.gmail.com> <[🔎] ZhROCzVMHSkc5o_Y@connexer.com> <[🔎] CABY6=0n6ay5uvKXKn0xVCXM65C5nkw8Z7_u=W-SwMevHNM-W6g@mail.gmail.com> <[🔎] ZhZSqIlcSQWh4Gnd@t14-buxy.home.ouaza.com> <[🔎] CABY6=0m+_5gpAH7GDdBsJpcGqZMbFG+si-MUkbhr2ZtjNwrPfQ@mail.gmail.com>

Hi,

On Wed, 10 Apr 2024, Ola Lundqvist wrote:
> > Some package maintainers will typically decide to fix it via a point
> > release. But they rarely update the triaging to document "postponed" or
> > "ignored". So that's why it's up to the LTS team to make that call
> > when we are (alone) in charge of a given release.
> 
> This is a good point. I had missed that package maintainers do not
> update the security tracker. Can we have tools to help us with this?

FWIW the Debian package tracker highlight no-dsa CVE to handle and point
package maintainers to those instructions:
https://security-team.debian.org/triage.html

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

Reply to:

References:
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Guidance for CVE triage and listing packages in dla-needed.txt
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: How to handle freeimage package
Next by Date: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Previous by thread: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Next by thread: Remove runc from dla-needed
Index(es):
- Date
- Thread