On Sat, 9 Jan 2010 15:59:54 -0500 Michael Gilbert wrote: > On Sat, 9 Jan 2010 21:13:56 +0100 Francesco Poli wrote: > > In the current thread, you proposed to convert all "blank urgencies" to > > "undetermined". > > Moritz replied "No way". > > At that point you stated that you yourself changed your mind and agree > > with Moritz that "<undetermined> is definitely not right for these > > cases". > > > > Now you again seem to claim that the <undetermined> tag is the > > replacement for blank (i.e.: unset, no?) urgency cases... > > The currently blank tags will be remarked as low. <undetermined> can > be used in new cases (or refactored into old cases if that makes sense). > You can see some <undetermined> test-cases in the tracker now, which may > clear things up somewhat. I am still convinced that blank != low ... By looking at undetermined test-cases, I see that they seem to be unclassified *both* in terms of <fixed>/<unfixed> status and in terms of <low>/<medium>/<high> urgency. I think that, when a vulnerability is undetermined in the sense that it is yet unknown whether it is <fixed> or <unfixed> in all the package versions currently present in the various releases (stable, testing, unstable), then it makes sense to have an urgency (<low>, <medium>, <high>, or even <unset>) that suggests how quickly one should strive to investigate further. The per-release tracker pages should have a view that includes these kinds of issues too, and a view that hides them, as well. I don't mind which is the default, as long as there's a distinct URL for each one of them. On the other hand, as soon as a vulnerability is known to be <unfixed> in *at least* one package version currently present in a release, the urgency (<low>, <medium>, <high>, or <unset>) has the usual meaning ("how quickly one should strive to fix the issue?"). The per-release tracker pages should always show these kinds of issues, of course. Please note that, in most cases, when a vulnerability switches from one category to the other one, the urgency may stay unchanged: if it was urgent to check the presence of a given vulnerability, it will be probably equally urgent to fix it... This is my own personal opinion on the matter. I hope it may be helpful. -- http://www.inventati.org/frx/progs/scripts/pdebuild-hooks.html Need some pdebuild hook scripts? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpUWLNC_9PcC.pgp
Description: PGP signature