On Sun, 2014-06-22 at 12:27 +0200, Holger Levsen wrote: > On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote: > > > one or two bug reports might be oh so more useful than posting on -devel. > > #752275 and #752277 > > thanks for these! To be honest, Holger, I don't know why you've asked me to report these issues at all, if you have nothing better to do, than downgrading their severity with your first post not even half a day after I've reported it. I mean I'd understand such behaviour if these bugs would be open for weeks while I'd haven't replied and they are generally considered to be non-issues. But now I just wonder... what advantages to people have from this mentality of always re-setting the severity when it's not yet fully clear and agreed upon whether there is an issue or not? I mean are DDs somehow punished for having >important bugs open? Even if my bug report was wrong, and the issue wouldn't apply... it feels like rather simply hiding away such bugs. The same happened on #752277, even by Michael Gilbert, member of the security team. I mean even if contrib/non-free don't get official security support - what's the problem with best-effort? While I could agree on removing the security tag (even though this is AFAIK not documented to be a tag specifically for the security-team)... I can absolutely not agree on lowering the severity... and yet even more: changing the title from something that clearly shows users "there's some security issues" to a harmless "suggestions for flashplugin fetching improvements" I mean this is actively hiding severe security issues... In all doing respect, I really wonder why someone with a view on security like that can be member of the security team. Outrageous. Disturbing. And coming back to you, Holger, and some others who complained why I brought that up on d-d and not in small little bug reports: It's just that... you always have to fight windmills, maintainers and other involved people who have no sense of security, simply don't care or even actively hide these things under the carpet. Apart from that: My reports there weren't obvious spam or completely bogus... so it means I probably had at least something in my mind when I reported them. Given that I don't believe any DDs or the security team is publicly whipped on a daily basis for echo +security or >important bugs that are open... I think it's rather impolite if not rude behaviour to more or less blindly change severity/tags or titles without any chat with the reporter. Cheers, Chris.
Description: S/MIME cryptographic signature