[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sofftware outside Debian (Re: holes in secure apt)

On Sun, 2014-06-22 at 12:27 +0200, Holger Levsen wrote: 
> On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote:
> > > one or two bug reports might be oh so more useful than posting on -devel.
> > #752275 and #752277
> thanks for these!

To be honest, Holger, I don't know why you've asked me to report these
issues at all, if you have nothing better to do, than downgrading their
severity with your first post not even half a day after I've reported

I mean I'd understand such behaviour if these bugs would be open for
weeks while I'd haven't replied and they are generally considered to be

But now I just wonder... what advantages to people have from this
mentality of always re-setting the severity when it's not yet fully
clear and agreed upon whether there is an issue or not?
I mean are DDs somehow punished for having >important bugs open?

Even if my bug report was wrong, and the issue wouldn't apply... it
feels like rather simply hiding away such bugs.

The same happened on #752277, even by Michael Gilbert, member of the
security team.
I mean even if contrib/non-free don't get official security support -
what's the problem with best-effort?
While I could agree on removing the security tag (even though this is
AFAIK not documented to be a tag specifically for the security-team)...
I can absolutely not agree on lowering the severity... and yet even
more: changing the title from something that clearly shows users
"there's some security issues" to a harmless "suggestions for
flashplugin fetching improvements"

I mean this is actively hiding severe security issues...

In all doing respect, I really wonder why someone with a view on
security like that can be member of the security team. Outrageous.

And coming back to you, Holger, and some others who complained why I
brought that up on d-d and not in small little bug reports:
It's just that... you always have to fight windmills, maintainers and
other involved people who have no sense of security, simply don't care
or even actively hide these things under the carpet.

Apart from that:
My reports there weren't obvious spam or completely bogus... so it means
I probably had at least something in my mind when I reported them.
Given that I don't believe any DDs or the security team is publicly
whipped on a daily basis for echo +security or >important bugs that are
open... I think it's rather impolite if not rude behaviour to more or
less blindly change severity/tags or titles without any chat with the


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: