Re: Is a bug RC relevant if it has an influence on the health of a person
On Thu, Sep 09, 2010 at 04:11:50PM +0200, Thibaut Paumard wrote:
> And please, make all possible effort to warn your users about the
> potential risk of using or having used the buggy version. And even if
> it's only "I'm not sure, but it may well be serious enough to KILL
> PEOPLE", bloody hell, why are you even asking?
Well, did you ever heard about "Don't panic". I was taking a bit of
time which is probably less than our mirror pushes for an issue which
is really unlikely to happen in practice.
As I said we here dive into a field where we as computer experts are not
able to evaluate the problem on our own any more. While I perfectly
trust upstream and this issue is clear I would like to raise the issue
in general. For instance what should we do if a simmilar life
endangering bug is reported by a "random" user and an other user claims
that this is not the case. What exactly should our criteria be to
issue a DSA? Only fixes released by upstream?
Finally who is really responsible for the computer in the medical
practice? The only reasonable way is that an IT company with medical
experts just provides the service for installation and updates for
practice management systems in production. In a critical case I'd
expect the service company to inform their clients about the problem by
phone and not that the doctor learns about the issue by an "apt-get
So in practical relevant cases there is no reason to panic.
> I really wouldn't want to get into an airplane with a known bug which
> could potentially crash the plane though it did not qualify as RC.
I do not even want to sit in an airplain which runs Debian testing (and
this is what we are talking about, right?). I'm fine that most
responses agree with my opinion that we should release with the fixed
version. However, the emotional touch the discussion has taken just
ignores that the problem is more complex than simply file and fix an RC
bug. As I said it is a matter of lacking expertise on our side, it is a
matter of responsibility (supporting company) and finally I also raised
the issue whether packages like this might perhaps be better placed in
volatile which might be more flexible in the case of an urgently needed