From 3c03fef28f2b2a0f1eb44a800d8374b1ad96145c Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 4 Sep 2024 16:18:13 +0200
Subject: [PATCH] safety: clarify reason to ignore CVE

---
 .safety-policy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.safety-policy.yml b/.safety-policy.yml
index cba25ff0..ea44e7e6 100644
--- a/.safety-policy.yml
+++ b/.safety-policy.yml
@@ -39,7 +39,7 @@ report:
           reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
           expires: '2026-08-31'
         72236:
-          reason: setuptools comes from Debian
+          reason: setuptools is not used in production to download or install packages, they come from Debian.
           expires: '2026-08-31'
 
 fail-scan-with-exit-code: