Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)

To: debian-devel@lists.debian.org, owner@bugs.debian.org
Subject: Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)
From: Russ Allbery <rra@debian.org>
Date: Sat, 17 May 2014 08:46:20 -0700
Message-id: <[🔎] 87sio84ddf.fsf_-_@windlord.stanford.edu>
In-reply-to: <[🔎] 20140517081845.GR4146@betterave.cristau.org> (Julien Cristau's message of "Sat, 17 May 2014 10:18:45 +0200")
References: <[🔎] A2A20EC3B8560D408356CAC2FC148E53B1E964AB@SUN-DAG3.synchrotron-soleil.fr> <[🔎] 1400304784.5068.17.camel@edoras.loewenhoehle.ip> <[🔎] 20140517081845.GR4146@betterave.cristau.org>

Julien Cristau <jcristau@debian.org> writes:
> On Sat, May 17, 2014 at 07:33:04 +0200, Tobias Frost wrote:

>> IMHO the severity should be raised to critical as it breaks unrelated
>> software.

> Reverse dependencies are anything but unrelated.

Over the years, I've seen endless confusion about the current definition
of a critical bug severity:

    makes unrelated software on the system (or the whole system) break, or
    causes serious data loss, or introduces a security hole on systems
    where you install the package.

The confusion seems to always be around the "unrelated software" part of
that definition.  The intended meaning is completely unrelated software on
the system, indicating a package that's mangling the system in some
fundamental way, but I've frequently seen people believe, sincerely, that
reverse dependencies, Perl programs that use a buggy module, or X programs
on a system with a buggy video driver qualify as unrelated software.

This makes me think that part of the bug definition is adding more
confusion than clarity.  Should we just drop it?

I think defining critical as:

    makes the entire system unusable, or causes serious data loss, or
    introduces a security hole on systems where you install the package

is closer to how we actually use the severity, and would avoid some of
these bug severity arguments.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: Redefining critical bug severity
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)
  - From: Craig Small <csmall@debian.org>
- Re: Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)
  - From: Don Armstrong <don@debian.org>

References:
- how to deal with a missed so bump already uploaded ?
  - From: PICCA Frederic-Emmanuel <frederic-emmanuel.picca@synchrotron-soleil.fr>
- Re: how to deal with a missed so bump already uploaded ?
  - From: Tobias Frost <tobi@frost.de>
- Re: how to deal with a missed so bump already uploaded ?
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#748471: ITP: erlang-lhttpc -- lightweight HTTP/1.1 client implemented in Erlang
Next by Date: Re: arm64 update - help wanted
Previous by thread: Re: how to deal with a missed so bump already uploaded ?
Next by thread: Re: Redefining critical bug severity (was: how to deal with a missed so bump already uploaded ?)
Index(es):
- Date
- Thread