Re: Bug#402829: mantis: not supportable by the security team

To: debian-release@lists.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#402829: mantis: not supportable by the security team
From: "schönfeld / in-medias-res.com" <schoenfeld@in-medias-res.com>
Date: Wed, 13 Dec 2006 09:49:32 +0100
Message-id: <[🔎] 457FBE9C.20109@in-medias-res.com>
In-reply-to: <[🔎] 20061212215945.GD22283@colo>
References: <[🔎] 20061212215945.GD22283@colo>

dann frazier wrote:
> Package: mantis
> Severity: serious
>
> As per http://release.debian.org/etch_rc_policy.txt - 5a, I am opening
> this RC bug against mantis to prevent it from releasing until which
> time the security team is convinced that it is a package that can
> be reasonably supported.
>
> See the discussion thread here:
>   http://lists.debian.org/debian-release/2006/12/msg00437.html

I quiet understand the etch release policy and I am sure that there are
cases where 5a matches the case. But in the case of mantis it does *not*
match. Because there is currently *one* open security issue which where
just reported and which I'm willing to fix in duration of this day. The
package *has* a maintainer and it is not out of date or is *too buggy*.

It makes me somehow angry that i invested so much work in bringing
mantis back in a good shape, when people can block its release by just
saying 'hey it had a bad history'. Given the information by Moritz that
it had 21 vulnerabilities it should be worth to mention that almost 50%
of the bugs I've seen affected almost dusty versions of mantis that are
*far* away from the current release. Also most of the bugs has been
fixed upstream in a reasonable time and i can *not* confirm that mantis
developers do hide details of bug fixes. In fact they use their own bug
tracker to track fixes for bugs and the most of the security issues are
IMO documented and discussed there well enough to backport/implement
security fixes into current debian packages.

Lastly i wanted to note that IMO using statistical numbers that are by
*no way* representative isn't really a good base for arguing with a poor
user base. And given you do trust that this 40 counted users are a
representative number: For this 40 counted users mantis might be *very*
important. And it might be even more. There might be hundred that do not
 participate in popcon.

I would like to further discuss this topic and hopely we could find a
con sense.

Best Regards

Patrick

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Bug#402829: mantis: not supportable by the security team
  - From: Thijs Kinkhorst <thijs@debian.org>

References:
- mantis: not supportable by the security team
  - From: dann frazier <dannf@debian.org>

Prev by Date: Re: Permission for uploading new mpdscribble release
Next by Date: Re: Dead links on /etc/rc?.d/ after a clean install of 'etch-RC1'
Previous by thread: mantis: not supportable by the security team
Next by thread: Re: Bug#402829: mantis: not supportable by the security team
Index(es):
- Date
- Thread