[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What you can do for "Lenny"



On Tuesday 7 October 2008 02:33, Charles Plessy wrote:
> as one of the maintainer of the packages affected by the mass bug filing
> named "The possibility of attack with the help of symlinks in some Debian
> packages", I would like to make a comment:
>
> Most of these bugs can only be exploited by a local user, are not
> regressions, and do not permit to obtain superuser priviledges. In the
> case of my package, the whole process of solving the issue in emergency
> consumed a lot of time that could have been saved by adopting a simpler
> workflow: report upstream, wait for the fix, and backport if necessary
> or possible.
>
> How about downgrading the severity of the bug reports to a level that
> reflects the severity of the problem?

I don't think this suggestion would gain us very much. The number of these 
bugs still open is around a handful, and nearly all of them are already fixed 
in some way, just not in Lenny.

These bugs come at different severities and we've already been adjusting bug 
severities where we think it's appropriate. However, for 'your average temp 
file race', the fix is trivial, so I would not see a reason to knowingly 
release lenny with it. I think the bug can be downgraded when a good 
explanation can be given why it would be undesirable to fix this specific bug 
for lenny. For these bugs normally it is faster and better to fix the bug 
than to be discussing the exact severity.


Thijs

Attachment: pgp_dOWku7oxb.pgp
Description: PGP signature


Reply to: