* Michael Gilbert <mgilb...@debian.org>, 2014-06-22, 04:44:
If remotely exploitable root security hole is not “critical” and is
not a security problem, then I don't know what is.
It is not appropriate to burden the security team about parts of the
archive that clearly don't receive security support:
https://www.debian.org/security/faq#contrib
The “security” tag is defined as “describes a security problem in a
package”, not “the Security Team should feel obliged to fix it”. BTS
documentation doesn't give Security Team the power to decide about bug
severities either.
If correctly tagged bugs against contrib or non-free packages create
burden for the Security Team, then they should fix their workflow, and
possibly also remove this sentence from their FAQ, to reflect reality:
“If it is possible to fix the problem, and the package maintainer or
someone else provides correct updated packages, then the security team
will generally process them and release an advisory.”
Lack of security support is not the same thing as opposition to
security, and I expect the Security Team to not engage in the latter.
If it was an upstream bug AND we couldn't get it fixed ourselves (due
to licensing or lack of source) AND upstream was not willing to fix it
either, then that would be justification for the wontfix tag (but not
for any changes you made).
However, this is a bug specifically introduced by the Debian package.
There is no excuse for not fixing it.
Where did you see wontfix?
I didn't. I used the future unreal conditional, which is used to talk
about imaginary situations in the future. (But IANA native speaker of
English, so I welcome criticism of my grammar.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
