[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is a bug RC relevant if it has an influence on the health of a person


Le 09/09/10 21:40, Andreas Tille a écrit :
> On Thu, Sep 09, 2010 at 04:11:50PM +0200, Thibaut Paumard wrote:
>> And please, make all possible effort to warn your users about the
>> potential risk of using or having used the buggy version. And even if
>> it's only "I'm not sure, but it may well be serious enough to KILL
>> PEOPLE", bloody hell, why are you even asking?
> Well, did you ever heard about "Don't panic".  I was taking a bit of
> time which is probably less than our mirror pushes for an issue which
> is really unlikely to happen in practice.

My point was more that it's not necessary to get into the technicalities
to decide the matter. Even if it did not fit the policy description for
"grave", it could still be grave, no need to go nitpicking about it.

> As I said we here dive into a field where we as computer experts are not
> able to evaluate the problem on our own any more. While I perfectly
> trust upstream and this issue is clear I would like to raise the issue
> in general.  For instance what should we do if a simmilar life
> endangering bug is reported by a "random" user and an other user claims
> that this is not the case.  What exactly should our criteria be to
> issue a DSA?  Only fixes released by upstream?

I think "security" is the way to go rather than volatile. Here again,
eventhough clear DSA guidelines are a good idea, common sense dictates
that life-endangering issues *are* security issues, whether or not they
are explicitly typed out in those guidelines... Do you have a clear
reasoning why volatile would be better than security?

> Finally who is really responsible for the computer in the medical
> practice?  The only reasonable way is that an IT company with medical
> experts just provides the service for installation and updates for
> practice management systems in production.  In a critical case I'd
> expect the service company to inform their clients about the problem by
> phone and not that the doctor learns about the issue by an "apt-get
> update".

That's what I meant by "warn your users" and by "you" I really meant
"upstream", not you ;-) I sort of hope all their users are subscribed to
a mailing list of some sort...

> So in practical relevant cases there is no reason to panic.
>> I really wouldn't want to get into an airplane with a known bug which
>> could potentially crash the plane though it did not qualify as RC.
> I do not even want to sit in an airplain which runs Debian testing (and
> this is what we are talking about, right?).

No, we are talking about stable. RCness is whether or not a known bug is
authorised to enter stable. I, too, have a secret hope that my doctor
runs a stable version of whatever system he chose and that he gets
warned directly and immediately when such a bug is found. But somehow,
I'm not sure this is the case.

Best regards, Thibaut.

Reply to: