Hi fellow LTS contributors Based on the conclusions in the other email thread about firmware nonfree, I have concluded the following: 1) There are no plans to update buster (by the kernel maintainers) 2) The CVEs are of low impact. You either need local access or in some cases access to the same wifi network. 3) The correction is rather invasive because the kernel also needs a patch. 4) The kernel maintainers are ok with us making an upload for buster.
There are essentially two ways to handle this: A) Ignore the problems because they are not very severe. B) Update, but then this is quite some work and involves kernel patching. Since customer may use a customer kernel this must be clearly described in the DLA in that case. So my question to you is whether if you would object me from marking the current CVEs in firmware-nonfree as no-dsa and remove the package from dla-needed file. The ones that require a kernel patch would then be of no-dsa type "ignored". Thank you in advance // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
