Am 16.04.19 um 09:17 schrieb Raphael Hertzog: > Hi, > > On Mon, 08 Apr 2019, Markus Koschany wrote: >> "Not used by any sponsor" is often used internally in commit messages as >> an additional comment, reason and clarification why a certain issue is > > In commit message to which repository? > > I think you are mixing the ELTS security tracker here.
No, I don't. > >> marked no-dsa or ignored, mostly intended for those people who work on >> LTS. Of course we always take into consideration how useful a fix is and >> on what we should spend our time on. This should come to no surprise to >> everyone who followed LTS in the past. Debian LTS is only possible >> because of this sponsorship and of course it is part of Debian. > > FWIW, I agree fully with Salvatore that "Not used by any sponsor" is > completely irrelevant for CVE triaging. > > It's relevant when paid LTS contributors have to select which packages > they are going to work on, but it's not relevant to evaluate the > importance of a CVE. > > (The story is very different for ELTS, obviously) I think there is a big misunderstanding here. For instance I have triaged edk2 which is a non-free package in Jessie. Normally we don't support non-free but we make an exception when it is used by sponsors like firmware-nonfree or unrar in the past. Thus when I write non-free is not supported, not used by any sponsor I am clarifying that we should not spend time on such a package. This was always our policy. Also popcon value is a factor to consider for spending time on a fix. When there are only 10 reported installations for a web application like hoteldruid then we usually prioritize more important packages. Hence I have sent an email to the maintainer of hoteldruid with our rationale and asked him if he would like to work on the package in the meantime. I don't agree with Salvatore's concerns and I find "Minor issue" far less informative as a reasoning which the security team uses rather often as a justification. Markus
Description: OpenPGP digital signature