Re: Linux 2.0.36 in slink?
Oscar Levi wrote:
> Not necessarily true. A crash bug that affects 1 out of 10000 runs of
> a program is not release critical.
That is correct.
> A security hole, in of itself, is not a release critical bug.
That is incorrect.
You seem to be confusing a bug that crashes the kernel and a security hole
that may crash the kernel, or allow access to private info, or anything
else. A security hole can be reproduced at will by an attacker, without a
great deal of difficulty.
> We don't have guidelines for release that we can use to decide if this
> is important or not.
Yes we do. We have a release manager who says we will not ship if we have
critical bugs. We have a definition[1] of critical bugs that says "critical
makes unrelated software on the system (or the whole system) break, or
causes serious data loss, or introduces a >>>security hole<<< on systems
where you install the package."
> In your opinion, is it worth a three-week delay
> to switch kernels?
Yes. It's worth a delay to fix any security hole. Debian must not ship with
known security holes. Quality is our priority, we have never sacrificed
quality for marketing concerns.
--
see shy jo
[1] http://www.debian.org/Bugs/Developer.html#severities
Reply to: