On Mon, Mar 18, 2024 at 09:40:45PM +0100, Moritz Muehlenhoff wrote: > Emilio Pozuelo Monfort wrote: > > Small nitpick: a CVE 'ignored' for (old)stable can still be fixed via point > > release. The sec-team could be contacted to update that triaging, but that's > > only ignored for (old)stable-security, not for (old)stable, where other > > criteria applies. The reason following the ignored triaging may give some > > more insight as to why it was ignored and why it may or may not make sense > > to fix in a point release. > > That's not in line with established practices, see > https://security-team.debian.org/triage.html > > | Some packages should rather not be fixed at all, e.g. because the possible > | benefit does not outweigh the risk/costs of an update, or because an update > | is not possible (e.g. as it would introduce behavioural changes not > appropriate > | for a stable release). In the Security Tracker these are tracked with the > | <ignored> state.
But there is a problem that many <ignored> are not correct, or at least lack a valid justification: $ git grep "<ignored> (Minor issue)" | grep bookworm | wc -l 29 $ git grep "<ignored> (Minor issue)" | grep bullseye | wc -l 191 $ "Minor issue" is a good justification for no-dsa, but not for ignored. And when I look through some of these I see CVEs like CVE-2023-48958[1] where <ignored> is likely outright wrong, or (unlikely) lacks an explanation that it causes a regression. > Cheers, > Moritz cu Adrian [1] https://security-tracker.debian.org/tracker/CVE-2023-48958
