Re: Is a bug RC relevant if it has an influence on the health of a person
On Thu, Sep 09, 2010 at 10:34:09PM +1000, Ben Finney wrote:
> >From your description, I'd guess one of ???causes serious data loss??? (???
Strictly speaking I do not really regard the problem in #596219 as a
data loss - the available data are just not properly handled which can
have a really bad effect. I understood "serious data loss" as a random
deletion of data this package or even another package would cause or
things like this.
We as computer experts are probably not in a position to decide whether
some data which are not kept in a database of an application is serious
or not. Even worse there could be an expert who has a secure proof that
you can not be allergic against water itself but only in combination
with sugar and thus the bugfix is not important any more because the
upstream author just is not aware of this new research (just to
overstress this example - know it does not really fit). We are in a
position where we are not able to decide whether a problem is serious or
not just by reading the code.
> or ???makes the package in question unusable or mostly so??? (???
> ???grave???) would apply. What do you think?
In practice the package is definitely usable as long as no patient with
a double allergy asks a doctor who is using GNUmed in production (most
probably less than 100 in the life time of Squeeze) for some medicine
which exactly contains these both drugs. This is no excuse to not fix
the problem but I would not regard the package as unusable.
> > IMHO we should enhance our definition for what RC critical means.
> I think we need to make better use of the severity levels already
> available, and leave it to the release managers to decide which ones
> will delay the release of Debian.
I agree here but I would like to correct the wording: We do not need to
"make better use" but we need to define more clearly what cases might
lead to a certain severity level and what not. IMHO cases like those
above are not properly covered and if I think about the time after the
Squeeze release how to handle problems like this. What kind of problems
will justify a Debian Security Alert and what not, etc. Is it correct
to release software which might need an urgent change in Debian stable
or should we rather go to volatile?