[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux 2.0.36 in slink?

Oscar Levi wrote:
> Not necessarily true.  A crash bug that affects 1 out of 10000 runs of
> a program is not release critical.

That is correct.

> A security hole, in of itself, is not a release critical bug.

That is incorrect.

You seem to be confusing a bug that crashes the kernel and a security hole
that may crash the kernel, or allow access to private info, or anything
else. A security hole can be reproduced at will by an attacker, without a
great deal of difficulty.

> We don't have guidelines for release that we can use to decide if this
> is important or not.

Yes we do. We have a release manager who says we will not ship if we have
critical bugs. We have a definition[1] of critical bugs that says "critical
makes unrelated software on the system (or the whole system) break, or
causes serious data loss, or introduces a >>>security hole<<< on systems
where you install the package."

> In your opinion, is it worth a three-week delay
> to switch kernels?

Yes. It's worth a delay to fix any security hole. Debian must not ship with
known security holes. Quality is our priority, we have never sacrificed
quality for marketing concerns.

see shy jo

[1] http://www.debian.org/Bugs/Developer.html#severities

Reply to: