Re: Guidance for CVE triage and listing packages in dla-needed.txt
Hi,
On Wed, 10 Apr 2024, Ola Lundqvist wrote:
> > Some package maintainers will typically decide to fix it via a point
> > release. But they rarely update the triaging to document "postponed" or
> > "ignored". So that's why it's up to the LTS team to make that call
> > when we are (alone) in charge of a given release.
>
> This is a good point. I had missed that package maintainers do not
> update the security tracker. Can we have tools to help us with this?
FWIW the Debian package tracker highlight no-dsa CVE to handle and point
package maintainers to those instructions:
https://security-team.debian.org/triage.html
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
Reply to: