Hi Mike, On Sat, 20 Dec 2014 05:06:47 -0500 Michael Gilbert <mgilb...@debian.org> wrote: > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: > > Hi Mike, > > > > On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert > > wrote: > >> control: severity -1 important > >> > >> There is no security support for libv8 in jessie, so security issues > >> aren't RC. > > Could you please add some links to explain that? > > I was about to fix this issue in an NMU after double-checking the fix. > > Severity doesn't say anything about whether or not a bugs can be > fixed, so you can still do that. Anyway it was decided recently on I beg to disagree here. According to freeze policy [1] only targeted fixes for RC bugs are considered to be accepted without pre-approval to testing now. Fixes to unstable which won't be accepted to testing are also discouraged during the freeze. Those implies that decreasing the severity _does_ affect if a bug should be fixed.
Please restore the severity of this bug since it is about security flaw and let the Release Team decide if they want to see a vulnerable libv8 in Jessie. BTW the fix seems to be trivial and since I'm in the JavaScript team I can actually fix it in a normal maintainer upload. > the security team ml. Please provide a link to a public resource to let others understand the reasoning. Thanks, Balint [1] https://release.debian.org/jessie/freeze_policy.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org