Hi On Fri, 23 May 2008 01:37:12 pm Michael Gilbert wrote: > What does it mean when the "Urgency" is neither "low", "medium", or > "high" on the tracker pages, for example CVE-2007-3073 (iceweasel) and > many others in [1]? Does that mean that the urgency has yet to be > assigned, or is it unknown? Should I assume that the urgency is > "high" until there is further information indicating otherwise? > > It is rather confusing to have entries without a specified urgency. > The urgency of security issues need to be categorized (otherwise there > is no way for the user to determine how concerned he or she should be > about a particular issue). It means nobody specified the urgency yet. Either because it is unknown or the person, who originally put in the information is unsure about the impact. Feel free to help out, suggest urgencies (commit them yourself) or add notes :) > Maybe there should be a requirement to always assign an urgency when a > security issue is reported? No, it is more important to get the information into the tracker and notify people to be able to work in it, rather than ignoring it, because of the urgency field. If users want to use the tracker to gain information about the vulnerability of their system, I would highly recommend that they read the CVE and all available information about affected packages, instead of just looking at the urgency field :) Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.