[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sofftware outside Debian (Re: holes in secure apt)

Hi Christoph,

On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote:
> To be honest, Holger, I don't know why you've asked me to report these
> issues at all, [...]

so they are tracked and easy to be referenced - #752275 is way better than 
several message-ids on lists.d.o.

> But now I just wonder... what advantages to people have from this
> mentality of always re-setting the severity when it's not yet fully
> clear and agreed upon whether there is an issue or not?
> I mean are DDs somehow punished for having >important bugs open?

why do you think bugs of severity lower than serious are punishment? 
> Even if my bug report was wrong, and the issue wouldn't apply... it
> feels like rather simply hiding away such bugs.

Setting an appropriate severity is not hiding a problem.

Also, so far you havent replied to whether you agree that all your three 
concerns are addressed?

> And coming back to you, Holger, and some others who complained why I
> brought that up on d-d and not in small little bug reports:
> It's just that... you always have to fight windmills, maintainers and
> other involved people who have no sense of security, simply don't care
> or even actively hide these things under the carpet.

Again: having a proper severity is useful, not hiding.
> Apart from that:
> My reports there weren't obvious spam or completely bogus... so it means
> I probably had at least something in my mind when I reported them.
> Given that I don't believe any DDs or the security team is publicly
> whipped on a daily basis for echo +security or >important bugs that are
> open... I think it's rather impolite if not rude behaviour to more or
> less blindly change severity/tags or titles without any chat with the
> reporter.

True, thats why I tagged 752275 moreinfo and asked some specific questions. 
Maybe this bug is important indeed, but atm I cannot see why it would be. 

If 752275 would still be of RC severity it would prevent the package to enter 
jessie and prevent us from providing wheezy-backports too. *That* to be 
considered punishment of our users I would agree.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: