Re: Proposed refactoring of the per-release tracker pages

To: debian-security-tracker@lists.debian.org
Subject: Re: Proposed refactoring of the per-release tracker pages
From: Francesco Poli <frx@firenze.linux.it>
Date: Sat, 9 Jan 2010 17:26:43 +0100
Message-id: <[🔎] 20100109172643.1782e1f1.frx@firenze.linux.it>
In-reply-to: <[🔎] 20100108175952.23646229.michael.s.gilbert@gmail.com>
References: <[🔎] 20100107230259.5479c740.michael.s.gilbert@gmail.com> <[🔎] 20100108164048.GB25696@inutil.org> <[🔎] 20100108175952.23646229.michael.s.gilbert@gmail.com>

On Fri, 8 Jan 2010 17:59:52 -0500 Michael Gilbert wrote:

[...]
> I propose to show all unspecified urgencies as low in the tracker.

FWIW, I don't think this is a good idea.

> 
> Here is the logic: if the commiter really thought the urgency deserved 
> elevatation, then they would have manually set that. Instead since they
> have not done this, then it can and should be concluded that it is one
> of low-priority since it wasn't significant enough to set higher.

This would force the meaning of an unset urgency into being equivalent
to a low urgency.
IMHO, this would reduce the expressive power of the security tracker:
to me, an unset urgency basically means "unclassified"; that is to say,
something that could be low, medium, or even high, but requires further
thinking before one can decide which is the correct category.

Of course, I would love seeing as few "unclassified" vulnerabilities as
possible, but claiming that they should be automatically considered as
low urgency looks like cheating to me.

An unset urgency is just that: unset.  It could even be high urgency,
in the worst case scenario, hence it should *not* be conflated with low
urgency issues.

> 
> Viewed from another perspective are the following questions. Is there
> any real purpose for an unset urgency?

I personally think there is one: it basically means "please someone
look at me and classify me!"

> How does the user interpret that information?

I personally interpret it as explained above.

> How is it useful?

It avoids hiding the fact that some vulnerabilities still have to be
classified, and hence are of uncertain urgency.
I think that this should be considered as part of the "do not hide
problems" philosophy (see SC #3).

> Does it make any kind of impact?

I think it makes.

I hope my own personal opinion is useful as a contribution to the
discussion.

-- 
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpjuJtDk9fqw.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Proposed refactoring of the per-release tracker pages
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

References:
- Proposed refactoring of the per-release tracker pages
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: Proposed refactoring of the per-release tracker pages
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Proposed refactoring of the per-release tracker pages
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: Proposed refactoring of the per-release tracker pages
Next by Date: netdisco-mibs-installer in testing, again
Previous by thread: Re: Proposed refactoring of the per-release tracker pages
Next by thread: Re: Proposed refactoring of the per-release tracker pages
Index(es):
- Date
- Thread