Re: a question about BTS severities
Herbert Xu wrote:
> Joey Hess <joey@kitenet.net> wrote:
> > Herbert Xu wrote:
> >>
> >> I disagree. If a package causes a remote root exploit to be available, even
> >> if it's only in a very specific configuration, I would say that it is critical.
>
> > No, it's grave. All security bugs are grave, it's part of the definition of
> > that priority. And later in my message, I said:
>
> Actually, it should be critical if it's a root exploit. Grave only includes
> those that only comprise the user's account.
Last I checked, root is a user. This is not a formal definition we're
working from, please use common sense. (Note: grave is a _higher_ priotity
than critical. Note also: root exploits tend to turn into user account
exploits as soon as the attacker wants them to.)
--
see shy jo
Reply to: