Now I understand better. I thought postponed was used for updates in next
point release. Now I understand the difference. In this case I think it
would be good if it is more visible in the security tracker so people who
update the package next time will not ignore it.

Best regards

// Ola

On 12 April 2018 at 16:11, Salvatore Bonaccorso <car...@debian.org> wrote:

> Hi
> On Thu, Apr 12, 2018 at 03:44:36PM +0200, Ola Lundqvist wrote:
> > I do not think we really have the possibility to postpone issues in LTS,
> > right?
> Sure, it is possible it's not different as for the security team. Say
> src:a has issue CVE-2018-12345, this not warrant an immediate DLA, but
> it's important enough to be fixed, and you want to make sure it's
> fixed on the next update. With postponed you mark that on the next DLA
> you want this fix to be included. You can mark it as well as <no-dsa>,
> but the <postponed> is as sub-state of <no-dsa> explicitly introduced
> to help find those no-dsa entries which still are worth on next DSA to
> be included. Then wenn src:a has the next CVE open and you evaluate it
> needs a DSA/DLA you pick that and you pick as well those which are
> <postponed>, umkark them from <postponed> and prepare updates
> including those CVE fixes which were previously postponed.
> Regards,
> Salvatore

 --- Inguza Technology AB --- MSc in Information Technology ----
/  o...@inguza.com                    Folkebogatan 26            \
|  o...@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply via email to