On Tue, 5 Mar 2019 23:26:58 +0100 Matija Nalis <mnalis-debian...@voyager.hr> wrote:
> Hi Celejar, > > you have raised severity to "serious" on ssmtp Debian package > in bug #662960, which is reserved for "Serious policy violations" as > described at https://www.debian.org/Bugs/Developer#severities > > It is customary to indicate exactly which section of Debian policy > Manual (at https://www.debian.org/doc/debian-policy/) the bug > breaks when setting "serious" severity. I concede that I was probably mistaken in raising the severity to "serious". I was probably just so aggravated at the package promising TLS support but silently failing to perform certificate validation that I conflated the normal English meaning of "serious" with its technical meaning in this context ;) > While I do agree that limitations of TLS implementation should be > prominently noted in package documentation and even description, I do > not think that even completely non-existent TLS support qualifies for > more than "important" severity (and more likely "normal" or > "wishlist"). I do stand by my position that this is at least an "important" bug. I agree that non-existent TLS support would be merely "wishlist" priority - but not if the package assured the user that it was providing TLS but silently failed to do so! Another email in this report argues: > Given its purpose - "extremely simple MTA [...]" - should this issue > really be considered "serious" (and Release Critical) ? Again, while I concede that this may not technically be RC, pointing to the software's self-description as an "extremely simple MTA [...]" misses the point: I have no problem with insecure software (I'm not filing any bugs against telnet ;)), only with software that assures the user of a certain level of security but does not provide it. > Unless someone objects with specific Debian policy section that this > package runs afoul, I'm going to revert its severity back to wishlist. Thank you for your work on Debian, and I apologize for my initial error. Celejar