Hi Brian, Only commenting on the first part for now:
On Thu, Oct 21, 2021 at 11:19:50AM +1100, Brian May wrote: > Salvatore Bonaccorso <car...@debian.org> writes: > > > Source: heimdal > > Version: 7.7.0+dfsg-2 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Control: found -1 7.5.0+dfsg-3 > > Does this need to be grave? Considering it was considered a minor issue > everywhere else, maybe not? Right, when filling a bug the severity is often "orthogonal" to a no-dsa security tracking decision. With the grave severity as RC I would like to basically make the statement here, the security issue should be considered RC and the next release (far away) should contain this fix. A RC severity fileld bug does not make necdssarily the implication that a DSA is needed (instead of e.g. fixing it via point release, which seems sensible here for me). OTOH, many non-RC severity warranted a DSA. Hope this explains a bit. If you feel strong about the severity beeing to hight, feel free to downgrade, please. Regards, Salvatore