After some discussion about what no-dsa really means, I've added 2 new sub-states to the tracker, and they can be used as follows:
CVE-2018-10012345 - foo <unfixed> (bug #9876543) [stretch] - shadow <postponed> (Minor issue, later) [jessie] - shadow <postponed> (Minor issue, later) [wheezy] - shadow <postponed> (Minor issue, later) CVE-2018-10012346 - foo <unfixed> (bug #9876542) [stretch] - shadow <ignored> (maintainer choice) [jessie] - shadow <ignored> (maintainer choice) [wheezy] - shadow <ignored> (maintainer choice) The actual state will still be "no-dsa" in both cases, but hopefully the sub-state clears things up as to *why* we chose no-dsa. The per-issue web views does expose those sub-states, see for instance libemail-address-perl[1] and cacti[2], and the status pages[3][4][5] allow to filter on them (someone with actual web skills should probably make it so that checking "include issues tagged <ignored/postponed>" automatically checks "include issues tagged <no-dsa>"). Cheers, --Seb [1] https://security-tracker.debian.org/tracker/source-package/libemail-address-perl [2] https://security-tracker.debian.org/tracker/source-package/cacti [3] https://security-tracker.debian.org/tracker/status/release/stable [4] https://security-tracker.debian.org/tracker/status/release/oldstable [5] https://security-tracker.debian.org/tracker/status/release/oldoldstable