Re: Bug severity and private data disclosure
On 2013-06-10 15:11:26 +0100, Ian Jackson wrote:
> I agree with you that that bug is a potential security vulnerability.
> I think the maintainer adopted an overly-close and legalistic reading
> of the bug severity guidelines. On the other hand I think the
> maintainer makes good points about the lack of widespread impact.
I think that most security bugs do not have widespread impact.
> I'm not sure exactly what consequences you think should have flowed
> from the bug's RC severity. Do you think the release should have been
> delayed ? CUPS removed from wheezy ? Presumably not. So it should
> have been RC-ignored for wheezy.
This is for sid only. Having a RC severity allows one to make other
users aware of the bug via apt-listbugs. Then they can ignore it or
not... It also prevents the bug from entering testing, which is safer
for the corresponding users.
Note that this is a regression. Using the testing version (= stable
currently) is fine w.r.t. this bug.
> So I agree with the main thrust of the maintainer's comments, that
> this bug severity discussion is a side issue which risks distracting
> us from fixing the bug.
> If what you're trying to do is improve the wording of the bug severity
> guidelines, have you considered emailing owner@bugs ?
Vincent Lefèvre <email@example.com> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)