From da29e92aea51803234d25b6473b4d7fb82dbf7da Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Wed, 8 Jul 2026 11:47:08 -0500 Subject: chore(maint): retire cve_min_warn from the thresholds The maint probe now grades CVE advisories on actionability (a fixed release exists and isn't installed), not severity, so the severity floor is dead config. The section comment records the retirement. I installed it on both hosts. --- configs/maintenance-thresholds.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configs/maintenance-thresholds.toml b/configs/maintenance-thresholds.toml index 582c408..792a2d5 100644 --- a/configs/maintenance-thresholds.toml +++ b/configs/maintenance-thresholds.toml @@ -50,9 +50,9 @@ cache_warn_gb = 20 # above keep-3 saturation (~17-19GB on ratio # fires within ~2 months if the paccache timer dies keyring_warn_days = 60 # stale archlinux-keyring silently breaks updates -[security] -cve_min_warn = "high" # arch-audit severity floor that warns (the - # constant Unknown/Low tail is background) +# [security] cve_min_warn retired 2026-07-08: the cve grade now keys on +# actionability (a fixed release exists and isn't installed), not severity. +# Unfixable advisories are informational and never warn. [updates] pending_warn = 50 # "a lot" — reddens the strip border -- cgit v1.2.3