[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages

Christian Perrier wrote:

>> This is far below the quality I expect from a mass bug filing that's been
>> reviewed by debian-devel.  Mass bugfilings at RC severity need to be held to
> Even though I overread the thread when Dmitry posted his intent to
> -devel, I feel like there was *no* strong agreement that this MBF was
> really wished and welcomed.

It is very welcome and I disagree with the complains voiced so far.
Yes, the template is subobtimal, he didn't set a "security" tag,
but most of the issues I've reviewed so far are genuine problems.
There're certainly not more false reports than the "bogus ratio"
of bugs filed by regular users.

> I should also have added that I personnally strongly object to it for
> three reasons:
> - timing wrt the release
> - timing wrt the "half of the developers are VAC" status we generally
>   have in August

So, what's the solution you propose instead? Issues lots of DSAs
post-release? Keep them under the carpet?

> It may sound like acting against the "we will not hide problems" item
> in the Social Contract, but I wouldn't be shocked if *all* these RC
> bugs are downgraded to important (I would even downgrade them to
> wishlist, see the example that made Neil react).
> If I come on any such bug on packages I maintain or co-maintain, I
> will immediately downgrade the bug report in such way, mentally
> thanking the bug submitter for the extra work and ranting about yet
> another nice method to delay the release.

Let's be old-fashioned and fix things instead.


Reply to: