On Wed, Dec 11, 2024 at 04:33:20PM -0500, Roberto C. Sánchez wrote: > > In summary: let's not prepare DLAs for only one or two low priority CVEs > (for the reasons discussed above), but let's certainly include the fixes > when fixing other high priority CVEs. This should be fairly close to > what we are already doing. > To further clarify: if there are "many"[0] low priority CVEs, then it may still warrant fixing them all via a DLA (even without a high priority CVE being present).
One example of this is qemu, which currently has ~30 CVEs affecting bullseye. (Thanks to Santiago for pointing out this example.) Quickly looking through them, there is enough there to warrant working towards a qemu DLA, even without a higher priority CVE to drive that. Regards, -Roberto [0] I purposefully used "many" rather than give a specific number. As with much of what we do, there is judgment and professional opinion involved. There are some instances where 6 CVEs might be sufficient to warrant a DLA and other instances where 25 CVEs might be insufficient. -- Roberto C. Sánchez
