Hi,
On 11/12/2024 18:11, Adrian Bunk wrote:
On Wed, Dec 11, 2024 at 05:10:54PM +0100, Sylvain Beucler wrote:
On 11/12/2024 16:17, Adrian Bunk wrote:
and possibly get secteam's general feeling on this (since
this is apparently at their initiative).
...
My understanding is that they were providing a list of packages/CVEs
where LTS contributors failed to submit fixes for DLA-fixed CVEs to
bookworm-pu.
If that's the case, then it's all fine.
Seen from a different angle though: maybe LTS contributors shouldn't
have fixed those low-severity CVEs in the first place. Maybe those
weren't worth a fix. But once they are fixed in LTS, by fixing all other
dists for consistency reasons, we may unnecessarily increase the
workload on Debian and LTS, and the risk of regression.
One (old) example: DLA-2602-1 fixed many UBSAN-based low-severity CVEs
in imagemagick, bringing 24 more backports on top of the 200+ already
present.
Maybe Debian welcomes this kind of fixes, or maybe it considers this an
annoyance. (when following Stable we're sure it's welcome.)
That's what I've been trying to figure out in this thread, I hope this
is clearer.
Cheers!
Sylvain
