On 2021/10/05 20:38, Sebastiaan Couwenberg <sebas...@xs4all.nl> wrote: > Security issues in packages are tracked via CVEs in: > > https://security-tracker.debian.org/tracker/ > > Only high severity issues are worth our time to fix in stable. If you > don't follow proper procedure and get CVEs for your security issues, > they won't get any severity assigned and hence won't get fixed in stable.
Your stance contradicts with what's documented on https://www.debian.org/security/ "We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe." Nothing about CVE requirement on that page. Nor here: https://www.debian.org/security/cve-compatibility Or here: https://www.debian.org/security/faq#handling "How is security handled in Debian? Once the security team receives a notification of an incident, one or more members review it and consider its impact on the stable release of Debian (i.e. if it's vulnerable or not). If our system is vulnerable, we work on a fix for the problem. ..." The wording is "brought to your attention" and "receive a notification", but nowhere is there an official "proper procedure" which requires reporters to obtain a CVE. Why are you hiding behind a "proper procedure" which doesn't exist - when this should be really about protecting Debian users from a security vulnerability? Max
