On Tuesday 7 October 2008 02:33, Charles Plessy wrote: > as one of the maintainer of the packages affected by the mass bug filing > named "The possibility of attack with the help of symlinks in some Debian > packages", I would like to make a comment: > > Most of these bugs can only be exploited by a local user, are not > regressions, and do not permit to obtain superuser priviledges. In the > case of my package, the whole process of solving the issue in emergency > consumed a lot of time that could have been saved by adopting a simpler > workflow: report upstream, wait for the fix, and backport if necessary > or possible. > > How about downgrading the severity of the bug reports to a level that > reflects the severity of the problem? I don't think this suggestion would gain us very much. The number of these bugs still open is around a handful, and nearly all of them are already fixed in some way, just not in Lenny. These bugs come at different severities and we've already been adjusting bug severities where we think it's appropriate. However, for 'your average temp file race', the fix is trivial, so I would not see a reason to knowingly release lenny with it. I think the bug can be downgraded when a good explanation can be given why it would be undesirable to fix this specific bug for lenny. For these bugs normally it is faster and better to fix the bug than to be discussing the exact severity. Thijs
Attachment:
pgpjumt1z7Koh.pgp
Description: PGP signature