On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote: > Hi, > > I'm about to close 95153, 133049, 158040, 165555, 170580, 173331, 176223, (...)
I object. > > Instead I provide signed backported packages on p.d.o which I will keep > 'semi up to date'. Still a lot of people use the outdated and utterly > broken 1.8.4 release and complain. Although these complaints are correct, Maybe because they are not aware of your backporting efforts. > I will from now on close them and tell the submitter to use my > backported, newer packages or compile his/her own. Yes, these utterly broken release is in all Debian CDs and mirrors. Bugs are bugs, if they are not fixed then don't close them. BTW, they are not even tagged properly (i.e. 'stable') > > Before you object to this rather 'rude' bughandling, please keep in mind > that version 1.8.4 of snort, which is in stable, has 3 severe security > exploits, and is completely outdated in catching crooks (rulefiles) and > detection mechanisms. Not to speak of package stability ;) Then you should work towards fixing them in stable or having ftp-masters agreeing with including a new (backported) version at proposed-updates. > > It's for the users best interrest that I tell them to use the new version. > It is for the best interest of the users that you provide a proper snort version in proposed-updates. Having bugs closed in a package which is still distributed leads to a false sense of workability of the package. Having all these bugs marked 'stable' and tagged 'wontfix' tells users best that they should not be using them at all! For example, closing bug #173254 instead of reassigning it to www.debian.org or ftp.debian.org was not proper. It should be marked 'stable', or reassigned to other team! You should not close bugs just because you cannot solve them, they will not go away just because of that. This is a similar situation to #183524. We have to determine a way to remove packages completely out of stable (due to unfixable security bugs, for example) in a way that do not leave users exposed to these and their bugs. Having a dummy package at proposed-updates which just says "please do X, Y, and z to have package A in your Debian stable system" might be one of them. Regards Javi
pgp1VE348GaBe.pgp
Description: PGP signature