Path: csiph.com!news.mixmin.net!weretis.net!feeder8.news.weretis.net!news.usenet.ovh!news.corradoroberto.it!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Salvatore Bonaccorso Newsgroups: linux.debian.security Subject: Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped) Date: Sun, 13 Apr 2025 17:40:01 +0200 Message-ID: References: X-Original-To: Samuel Henrique X-Mailbox-Line: From debian-security-request@lists.debian.org Sun Apr 13 15:33:00 2025 Old-Return-Path: X-Amavis-Spam-Status: No, score=-104.847 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_OUR_PROPOSAL=5, DKIMWL_WL_HIGH=-0.438, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=no autolearn_force=no Mail-Followup-To: Samuel Henrique , Debian Security Team , debian-security@lists.debian.org, Emilio Pozuelo Monfort , Moritz =?iso-8859-1?Q?M=FChlenhoff?= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: carnil X-Mailing-List: archive/latest/29603 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/Z_vZGrl0EwDtxPN_@eldamar.lan Approved: robomod@news.nic.it Lines: 46 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: Debian Security Team , debian-security@lists.debian.org, Emilio Pozuelo Monfort , Moritz =?iso-8859-1?Q?M=FChlenhoff?= X-Original-Date: Sun, 13 Apr 2025 17:32:42 +0200 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.security:6406 Hi, On Sun, Apr 13, 2025 at 04:06:38PM +0100, Samuel Henrique wrote: > Hello everyone, > > On Sun, 2 Mar 2025 at 20:26, Samuel Henrique wrote: > > Just checking if you would have time to look into this. > > Sending another ping, this proposal is now 1 year old. > > For clarity, I'm not requesting the team to do any work here. I can work on the > changes, I just need a decision on the solution. > > Personally, I have it as a high priority to cut down those 20% false-positive > CVEs reported for Debian containers, since a lot of official containers are > based on us, but this will also help non-container users. > > I'm hoping that sending this is fine, but let me know if I should have waited > more than a month from the previous message. Yes it's fine that you do a ping on things which are of a priority for you. And just to be clear, the security-tracker is very important to me as well, in particular to enable our work ;-) I believe the changes should go in the direction I tried to hilight, or more concretely have a "nonissue" state, which still reflects correctly that the issue is there, but without any (practical) impact. That will make for instance moot the unimportant severity which only can be applied as whole to a source entry, but not to individual suite entries. I have not gone to all details of your proposal, but the high level view is IMHO as described in short above. For instance for the zlib isues that would then move the entries from the ignored (which is a substate of a no-dsa and apparently comercial security scanner are not willing to parse or adapt to) to the more narrowed down and specified substate of nonissue. In particular such a vunerability state could exactly reflect as well per suite entry in case the state changes between them. Hope this clarifies that you are not beeing ignored (heh ;-) no punt intended here :)), which is as well quite important to me to let you know. Regards, Salvatore