Re: lowering severity of bugs not tracked by release team
On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote:
> [sent again, cc correct list address this time]
>
> Quoting Michael Gilbert (2014-12-20 11:06:47)
> > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote:
> >> On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote:
> >>> control: severity -1 important
> >>>
> >>> There is no security support for libv8 in jessie, so security issues
> >>> aren't RC.
> >> Could you please add some links to explain that?
> >> I was about to fix this issue in an NMU after double-checking the
> >> fix.
> >
> > Severity doesn't say anything about whether or not a bugs can be
> > fixed, so you can still do that. Anyway it was decided recently on
> > the security team ml.
I'm not aware of it having been decided that the security team were the
arbiters of release criticality in such situations.
> I find it sensible for the security team to give up on maintaining some
> packages - and I find it great to try communicate that to our users by
> use of the debian-security-support package.
>
> Just now I learned from above bugreport that the security team also
> actively *lower* bugreports to avoid them being treated as release
> candidate, for packages not maintained by the security team. That I
> find a horrible approach: Severity of a bug is independent on whether it
> will be fixed or not. The more proper tag to use is *-ignore, IMO.
The setting of -ignore by people other the Release Team (or those who
have previously discussed doing so, e.g. for certain classes of bug in
stable) is still wrong.
Regards,
Adam
Reply to: