Re: RFC: Bug handling policy

To: debian-kernel@lists.debian.org
Subject: Re: RFC: Bug handling policy
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 31 Oct 2009 11:48:21 +0000
Message-id: <[🔎] 1256989701.3136.290.camel@localhost>
In-reply-to: <[🔎] 20091028221357.76c2fb63@mycelium.queued.net>
References: <[🔎] 1255796094.2488.558.camel@localhost> <[🔎] 20091028142040.44019d8b@mycelium.queued.net> <[🔎] 4AE89DC9.6080101@elbournb.fsnet.co.uk> <[🔎] 20091028221357.76c2fb63@mycelium.queued.net>

On Wed, 2009-10-28 at 22:13 +0200, Andres Salomon wrote:
> On Wed, 28 Oct 2009 19:38:49 +0000
> Berni Elbourn <berni@elbournb.fsnet.co.uk> wrote:
> 
> > Andres Salomon wrote:
> > >> 2. Severities
> > >>
> > >> Many submitters believe that their bug meets one of the following
> > >> criteria for high severity.  We interpret them as follows and will
> > >> downgrade as appropriate:
> > >>
> > >> 'critical: makes unrelated software on the system (or the whole
> > >> system) break...'
> > >>    The bug must make the kernel unbootable or unstable on common
> > >>    hardware or all systems that a specific flavour is supposed to
> > >>    support.  There is no 'unrelated software' since everything
> > >>    depends on the kernel.
> > >>
> > >> 'grave: makes the package in question unusable or mostly so...'
> > >>    If the kernel is unusable, this already qualifies as critical.
> > >>
> > >> [Alternately: given that the user can normally reboot into an
> > >> earlier kernel version, does that mean the bug is 'grave', not
> > >> 'critical'?]
> > > 
> > > No.  Rebooting into an earlier kernel means that the user ends up
> > > with known security holes.  That should never be something that's
> > > encouraged.
[...]
> That's not what I'm saying.  If they want to revert, that's fine; so
> long as they understand the risks.  It should not be acceptable for
> *Debian* to say, "oh, just run the unsupported version for a few
> months". And the way that I read Ben's comment, it sounded like a bug
> should be less severe if users can be told to run an older
> (unsupported) version.  Ben, please correct me if I'm wrong.

I was actually thinking of the fact that several different ABI versions
can coexist.  So in case you are running unstable and a new upstream
kernel version doesn't work for you, the previous version is still
available.  Usually such an upgrade would not involve major security
fixes since we try to backport them.

Still, you are right that over time the previous version would become
more vulnerable, so my point wasn't really valid.

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                            - Robert Coveyou

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- RFC: Bug handling policy
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: RFC: Bug handling policy
  - From: Andres Salomon <dilinger@collabora.co.uk>
- Re: RFC: Bug handling policy
  - From: Berni Elbourn <berni@elbournb.fsnet.co.uk>
- Re: RFC: Bug handling policy
  - From: Andres Salomon <dilinger@collabora.co.uk>

Prev by Date: Bug#553441: firmware-ralink: Firmware not working with usb dongle rt2870sta
Next by Date: Bug#553024: Net driver module dependencies on PHY driver modules
Previous by thread: Re: RFC: Bug handling policy
Next by thread: Processed: severity of 551347 is normal
Index(es):
- Date
- Thread