[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed refactoring of the per-release tracker pages

On Sat, 9 Jan 2010 15:59:54 -0500 Michael Gilbert wrote:

> On Sat, 9 Jan 2010 21:13:56 +0100 Francesco Poli wrote:
> > In the current thread, you proposed to convert all "blank urgencies" to
> > "undetermined".
> > Moritz replied "No way".
> > At that point you stated that you yourself changed your mind and agree
> > with Moritz that "<undetermined> is definitely not right for these
> > cases".
> > 
> > Now you again seem to claim that the <undetermined> tag is the
> > replacement for blank (i.e.: unset, no?) urgency cases...
> 
> The currently blank tags will be remarked as low.  <undetermined> can
> be used in new cases (or refactored into old cases if that makes sense).
> You can see some <undetermined> test-cases in the tracker now, which may
> clear things up somewhat.

I am still convinced that blank != low ...


By looking at undetermined test-cases, I see that they seem to be
unclassified *both* in terms of <fixed>/<unfixed> status and in terms of
<low>/<medium>/<high> urgency.

I think that, when a vulnerability is undetermined in the sense that it
is yet unknown whether it is <fixed> or <unfixed> in all the package
versions currently present in the various releases (stable, testing,
unstable), then it makes sense to have an urgency (<low>, <medium>,
<high>, or even <unset>) that suggests how quickly one should strive to
investigate further.
The per-release tracker pages should have a view that includes these
kinds of issues too, and a view that hides them, as well.
I don't mind which is the default, as long as there's a distinct URL
for each one of them.

On the other hand, as soon as a vulnerability is known to be <unfixed>
in *at least* one package version currently present in a release, the
urgency (<low>, <medium>, <high>, or <unset>) has the usual meaning
("how quickly one should strive to fix the issue?").
The per-release tracker pages should always show these kinds of issues,
of course.

Please note that, in most cases, when a vulnerability switches from one
category to the other one, the urgency may stay unchanged: if it was
urgent to check the presence of a given vulnerability, it will be
probably equally urgent to fix it...


This is my own personal opinion on the matter.
I hope it may be helpful.

-- 
 http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html
 Need some pdebuild hook scripts?
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpUWLNC_9PcC.pgp
Description: PGP signature

Reply to: