[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug severity and private data disclosure

On 2013-06-10 15:11:26 +0100, Ian Jackson wrote:
> I agree with you that that bug is a potential security vulnerability.
> I think the maintainer adopted an overly-close and legalistic reading
> of the bug severity guidelines.  On the other hand I think the
> maintainer makes good points about the lack of widespread impact.

I think that most security bugs do not have widespread impact.

> I'm not sure exactly what consequences you think should have flowed
> from the bug's RC severity.  Do you think the release should have been
> delayed ?  CUPS removed from wheezy ?  Presumably not.  So it should
> have been RC-ignored for wheezy.

This is for sid only. Having a RC severity allows one to make other
users aware of the bug via apt-listbugs. Then they can ignore it or
not... It also prevents the bug from entering testing, which is safer
for the corresponding users.

Note that this is a regression. Using the testing version (= stable
currently) is fine w.r.t. this bug.

> So I agree with the main thrust of the maintainer's comments, that
> this bug severity discussion is a side issue which risks distracting
> us from fixing the bug.
> If what you're trying to do is improve the wording of the bug severity
> guidelines, have you considered emailing owner@bugs ?

Not yet.

Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: