After some discussion about what no-dsa really means, I've added 2 new
sub-states to the tracker, and they can be used as follows:
CVE-2018-10012345
- foo <unfixed> (bug #9876543)
[stretch] - shadow <postponed> (Minor issue, later)
[jessie] - shadow <postponed> (Minor issue, later)
[wheezy] - shadow <postponed> (Minor issue, later)
CVE-2018-10012346
- foo <unfixed> (bug #9876542)
[stretch] - shadow <ignored> (maintainer choice)
[jessie] - shadow <ignored> (maintainer choice)
[wheezy] - shadow <ignored> (maintainer choice)
The actual state will still be "no-dsa" in both cases, but hopefully the
sub-state clears things up as to *why* we chose no-dsa.
The per-issue web views does expose those sub-states, see for instance
libemail-address-perl[1] and cacti[2], and the status pages[3][4][5]
allow to filter on them (someone with actual web skills should probably
make it so that checking "include issues tagged <ignored/postponed>"
automatically checks "include issues tagged <no-dsa>").
Cheers,
--Seb
[1]
https://security-tracker.debian.org/tracker/source-package/libemail-address-perl
[2] https://security-tracker.debian.org/tracker/source-package/cacti
[3] https://security-tracker.debian.org/tracker/status/release/stable
[4] https://security-tracker.debian.org/tracker/status/release/oldstable
[5] https://security-tracker.debian.org/tracker/status/release/oldoldstable
