Hi John, On Fri, May 24, 2024 at 01:57:01PM -0400, John Waffle wrote: > Hello, > > I was thinking about this a bit more and I had a question, > > > Let me as well elaborate on the "ingored". This comes as the binary > packages built from the *vulnerable* source, there is no point to force an > update in bookworm and older. > > It sounds like Debian uses the "ignored" state to mean "this bug does not > affect the Debian package". > > Is there another state that's used to indicate "won't fix"? Can we assume > that "ignored" always means "won't fix"? Or can "ignored" mean either thing > and we'd have to look in the notes to know for sure?
Thanks for the query. https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory explains how <ignored> is to be interpreted when encountered. I think security-scanner encountering it can classify it accordingly so that no flag is raised. Hope that helps, Regards, Salvatore
