Re: Bug severity and private data disclosure

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

(I have CC'd cups-client@packages.)

Vincent Lefevre writes ("Bug severity and private data disclosure"):
> I reported a bug involving private data disclosure, more precisely,
> on some network, when printing a file with CUPS 1.6, the file is
> printed on a wrong printer[*]. The bug severity was downgraded to
> important (i.e. non-RC), despite the obvious security problem. The
> given reason was that this kind of security problem is not mentioned
> on:

I agree with you that that bug is a potential security vulnerability.
I think the maintainer adopted an overly-close and legalistic reading
of the bug severity guidelines.  On the other hand I think the
maintainer makes good points about the lack of widespread impact.

I'm not sure exactly what consequences you think should have flowed
from the bug's RC severity.  Do you think the release should have been
delayed ?  CUPS removed from wheezy ?  Presumably not.  So it should
have been RC-ignored for wheezy.

So I agree with the main thrust of the maintainer's comments, that
this bug severity discussion is a side issue which risks distracting
us from fixing the bug.

If what you're trying to do is improve the wording of the bug severity
guidelines, have you considered emailing owner@bugs ?

Ian.