Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages
Christian Perrier wrote:
>> This is far below the quality I expect from a mass bug filing that's been
>> reviewed by debian-devel. Mass bugfilings at RC severity need to be held to
> Even though I overread the thread when Dmitry posted his intent to
> -devel, I feel like there was *no* strong agreement that this MBF was
> really wished and welcomed.
It is very welcome and I disagree with the complains voiced so far.
Yes, the template is subobtimal, he didn't set a "security" tag,
but most of the issues I've reviewed so far are genuine problems.
There're certainly not more false reports than the "bogus ratio"
of bugs filed by regular users.
> I should also have added that I personnally strongly object to it for
> three reasons:
> - timing wrt the release
> - timing wrt the "half of the developers are VAC" status we generally
> have in August
So, what's the solution you propose instead? Issues lots of DSAs
post-release? Keep them under the carpet?
> It may sound like acting against the "we will not hide problems" item
> in the Social Contract, but I wouldn't be shocked if *all* these RC
> bugs are downgraded to important (I would even downgrade them to
> wishlist, see the example that made Neil react).
> If I come on any such bug on packages I maintain or co-maintain, I
> will immediately downgrade the bug report in such way, mentally
> thanking the bug submitter for the extra work and ranting about yet
> another nice method to delay the release.
Let's be old-fashioned and fix things instead.