Re: sofftware outside Debian (Re: holes in secure apt)

To: debian-devel@lists.debian.org
Subject: Re: sofftware outside Debian (Re: holes in secure apt)
From: Holger Levsen <holger@layer-acht.org>
Date: Sun, 22 Jun 2014 16:20:52 +0200
Message-id: <[🔎] 201406221621.02963.holger@layer-acht.org>
In-reply-to: <[🔎] 1403443017.4692.17.camel@heisenberg.scientia.net>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] 201406221227.10058.holger@layer-acht.org> <[🔎] 1403443017.4692.17.camel@heisenberg.scientia.net>

Hi Christoph,

On Sonntag, 22. Juni 2014, Christoph Anton Mitterer wrote:
> To be honest, Holger, I don't know why you've asked me to report these
> issues at all, [...]

so they are tracked and easy to be referenced - #752275 is way better than 
several message-ids on lists.d.o.

> But now I just wonder... what advantages to people have from this
> mentality of always re-setting the severity when it's not yet fully
> clear and agreed upon whether there is an issue or not?
> I mean are DDs somehow punished for having >important bugs open?

why do you think bugs of severity lower than serious are punishment? 

> Even if my bug report was wrong, and the issue wouldn't apply... it
> feels like rather simply hiding away such bugs.

Setting an appropriate severity is not hiding a problem.

Also, so far you havent replied to whether you agree that all your three 
concerns are addressed?

> And coming back to you, Holger, and some others who complained why I
> brought that up on d-d and not in small little bug reports:
> It's just that... you always have to fight windmills, maintainers and
> other involved people who have no sense of security, simply don't care
> or even actively hide these things under the carpet.

Again: having a proper severity is useful, not hiding.

> Apart from that:
> My reports there weren't obvious spam or completely bogus... so it means
> I probably had at least something in my mind when I reported them.
> Given that I don't believe any DDs or the security team is publicly
> whipped on a daily basis for echo +security or >important bugs that are
> open... I think it's rather impolite if not rude behaviour to more or
> less blindly change severity/tags or titles without any chat with the
> reporter.

True, thats why I tagged 752275 moreinfo and asked some specific questions. 
Maybe this bug is important indeed, but atm I cannot see why it would be. 

If 752275 would still be of RC severity it would prevent the package to enter 
jessie and prevent us from providing wheezy-backports too. *That* to be 
considered punishment of our users I would agree.

cheers,
	Holger

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Holger Levsen <holger@layer-acht.org>
- Re: sofftware outside Debian (Re: holes in secure apt)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: HTTPS everywhere!
Next by Date: Re: HTTPS everywhere!
Previous by thread: Re: sofftware outside Debian (Re: holes in secure apt)
Next by thread: Re: holes in secure apt
Index(es):
- Date
- Thread