Re: Missing Urgencies in Tracker

To: debian-security-tracker@lists.debian.org
Subject: Re: Missing Urgencies in Tracker
From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Date: Tue, 27 May 2008 13:21:44 -0400
Message-id: <[🔎] 8e2a98be0805271021g51f3f9bck50f2ac81a2d0628b@mail.gmail.com>
In-reply-to: <[🔎] 200805231520.35772.steffen.joeris@skolelinux.de>
References: <[🔎] 8e2a98be0805222037g2158b672oaa4492dc6c90e308@mail.gmail.com> <[🔎] 200805231520.35772.steffen.joeris@skolelinux.de>

On 5/23/08, Steffen Joeris wrote:
> If users want to use the tracker to gain information about the vulnerability
> of their system, I would highly recommend that they read the CVE and all
> available information about affected packages, instead of just looking at
> the urgency field :)

I think that the three-tiered (high, medium, low) categorization is
extremely useful.  Average users can't be expected to spend the time
to read or be able to fully understand the CVEs.  However, they can
easily understand the categories.

I really do think an urgency should always be assigned.  Maybe the
submitter should initially specify the urgency as, for example,
"medium/needs-review" so that others can be made aware that the
urgency currently stated is just a guess.

With the urgency left blank, as is currently done, the urgency
(borrowing concepts from quantum mechanics) is in a superposition of
the high, medium, and low states.  Hence, one has to assume the
worst-case scenario, which is that all of the blank urgencies are to
be considered high urgency (the cat is both dead and alive until you
open the box).

Kind Regards.

Reply to:

References:
- Missing Urgencies in Tracker
  - From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
- Re: Missing Urgencies in Tracker
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Re: Bug#482577: pending notation
Previous by thread: Re: Missing Urgencies in Tracker
Next by thread: Bug#482577: pending notation
Index(es):
- Date
- Thread