[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About Release-critial bugs page

On 2008-12-25 20:07 +0100, Marc Shapiro wrote:

> Every now and then I take a look at the Release-critical bugs status
> page and I have a question.  Since the release of Etch, in addition to
> showing bug counts for the 'next stable release' and total counts they
> have also displayed a line for the current release.  This has, for the
> past year, shown more release critical bugs for Etch than for Lenny.
> What does this really mean?  Obviously, Etch *has* been released.
> Apparently it has many release critical bugs.  Are these bugs that
> have been found since Etch's release that would have been considered
> release critical if they had been found before its release?

Yes, in the majority of cases.  But there are probably a good number of
false positives.  One common pattern is the following: RC bug #nnnnnn is
reported against package foo in version x.y.z (which may or may not be
in stable).  Then somebody (often the maintainer of foo) finds out the
bug is in package bar instead and sends mail to control@bugs.debian.org:

reassign nnnnnn bar

with the result that the bug has no version information anymore, and the
BTS assumes that it applies to all versions of bar, although this is
often not the case.

Last week I had a look at the list myself and added version or suite
information to about 20 bugs where I could identify that they don't
apply to Etch.  In many other cases investigating whether a particular
bug applies to stable would have taken considerable time, though.

> If so, why have they not been corrected?  The number just keeps on
> going up.

You might not like it, but I'm afraid the answer is: because nobody
cares about them.  The security team only fixes issues they find serious
enough for a DSA, and low-priority security bugs like unsafe temporary
file handling (an issue that has been found and fixed in many packages
during the Lenny release cycle) as well as non-security RC bugs are left
to the package maintainers who often feel it's not worth backporting a
fix and getting approval by the Stable Release Team.

It's a pity that after so many months of freezing and bugfixing the
actually released software is so neglected, but that's how it is.


Reply to: