Hi, On 18/10/2022 22:31, Moritz Muehlenhoff wrote: > On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote: >> Does explicitly opening a BTS bug mean that, like we use to call it, >> "these CVEs warrant a DSA", > > No, in general we aim to file bugs for any open CVEs regardless of > the DSA state. This allows people to see that an issue is known > (and some maintainers might also not have noticed in time).
Ok! >> and that it is a request for an ASAP package >> update and preparing a security update for stable, or, is this a new >> thing where BTS bugs are opened for packages, just in case the >> maintainer did not already track security issues themselves actively? > > For the latest set of Xen issues my estimate is that we can postpone > them until the next batch, they seem all of moderate/limited impact. > But let me know if you think otherwise. I agree. Let's do them together with the new stuff that's planned for Nov 1st, https://xenbits.xen.org/xsa/ Hans
