Hi, On 08/04/2019 21:56, Holger Levsen wrote: > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: >> Recently I noticed that for a no-dsa (either for no-dsa or the >> stronger ignored) as explanation was started to be used e.g. "not used >> by any sponsor".
That sounds related to my triage of libpodofo today. Firstly, as an aside, it seemed to me that <ignored> was not stronger, but more precise than <no-dsa> (a "sub-state" as documented at https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory ). Let me know if you prefer we use <no-dsa> >> If LTS is meant as Debian project, then I would suggest not to start >> to use those formulations, which I think are fine for ELTS, which is a >> dedicated project not on Debian directly. Saying something is not DSA >> worthy or is going to be ignored, because it's not used by a LTS >> sponsor will give a signal to others that indeed, Debian LTS is not a >> generic Debian project. > thanks for bringing this up. FWIW, I agree with you. Secondly, being my first go at triaging, I looked at past triages, and the first occurrence of "not used by any sponsor" is from last August, so I believed that was a good reason to document it as an additional reason (the main reason being it's a caught exception / basic DoS, not a crash with memory overwrite & cie, plus a low popcon for Jessie). But I'll leave that out from now on. >> Just stick to "Minor issue" in such cases if something is not DSA >> worthy because the issue is minor, but do not make it depdendent on if >> a paying LTS sponsor is using it or not. > (or dont mark it "Minor issue" if it's not minor. This should also > hopefully make it more likely someone picks it up as a volunteer efford, > eg when proofing one is captable of lts work...) FWIW I like when we justify why it is minor. Cheers! Sylvain