Hi Sylvain, On Mon, Apr 08, 2019 at 10:18:08PM +0200, Sylvain Beucler wrote: > Hi, > > On 08/04/2019 21:56, Holger Levsen wrote: > > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: > >> Recently I noticed that for a no-dsa (either for no-dsa or the > >> stronger ignored) as explanation was started to be used e.g. "not used > >> by any sponsor". > > That sounds related to my triage of libpodofo today.
It was at least the trigger for my mail ;-) > Firstly, as an aside, it seemed to me that <ignored> was not stronger, > but more precise than <no-dsa> (a "sub-state" as documented at > https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory > ). > Let me know if you prefer we use <no-dsa> Yep I know about the sub-state distinction. What I meant with stronger can maybe been illustrated as follows: while a issue marked as no-dsa might be reconsidered, postponed defintively to be looked at at next update we want to have for a specific source package, ignored is stronger in the sense, we likely are going not to look at this anymore from security team point of view (well one can always reconsider, but let's say that is the intetion at the point when someone adds the entry in the list for specific CVE and suite). Does not mean cannot be fixed, but somehow goes down on the radar. Anyway, but that was not the main point. I raised the concern about the 'not used by any sponsors' part. Using the appropriate substate as needed is fine, so whatever it will be for the respective entry, either no-dsa, postponed or ignored for the respective triage. > >> If LTS is meant as Debian project, then I would suggest not to start > >> to use those formulations, which I think are fine for ELTS, which is a > >> dedicated project not on Debian directly. Saying something is not DSA > >> worthy or is going to be ignored, because it's not used by a LTS > >> sponsor will give a signal to others that indeed, Debian LTS is not a > >> generic Debian project. > > thanks for bringing this up. FWIW, I agree with you. > Secondly, being my first go at triaging, I looked at past triages, and > the first occurrence of "not used by any sponsor" is from last August, > so I believed that was a good reason to document it as an additional > reason (the main reason being it's a caught exception / basic DoS, not a > crash with memory overwrite & cie, plus a low popcon for Jessie). > > But I'll leave that out from now on. > > > >> Just stick to "Minor issue" in such cases if something is not DSA > >> worthy because the issue is minor, but do not make it depdendent on if > >> a paying LTS sponsor is using it or not. > > (or dont mark it "Minor issue" if it's not minor. This should also > > hopefully make it more likely someone picks it up as a volunteer efford, > > eg when proofing one is captable of lts work...) > > FWIW I like when we justify why it is minor. Sure, I really wanted to hilight the 'not used by any sponsor' part. It is perfectly fine to write more there, not just minor issue, and give some concise reasoning on why something is no-dsa, ignored or postponed. Just try to keep it coincise (or other worded not let it become a novel). Hope this helps, Regards, Salvatore