Bug#760385: lowering severity of bugs not tracked by release team
Hi Mike, First, I had to cancel the upload because of too strict reverse dependencies. Dear fellow JavaScript maintainers please figure out a less strict dependency graph because every otherwise fully compatible libv8 update would break several packages. 2014-12-21 2:13 GMT+01:00 Michael Gilbert mgilb...@debian.org: On Sat, Dec 20, 2014 at 7:52 PM, Bálint Réczey wrote: The proper severity of this bug is grave as set by Moritz IMO. I'm restoring it wearing my maintainer hat. It's not really constructive arguing over severity, so that's fine. I appreciate the work done by the Security Team but to work together we have to know what actions can be taken by the Security Team. Increasing severity of bugs is business as usual and perfectly reasonable, but _decreasing_ the severity _based on the availability of security support_ was crossing a line IMO. It seems the line was there based on Jonas' and Adam's email. To clarify my position the Security Team can and is expected to decrease the severity in case a security bug's impact turns out to be less than originally expected but in this particular case this rule does not seem to be applicable. You've saved yourself from needing to write an unblock request. The problem still remains that the backlog of libv8 security issues never get fixed (except for a new upstream every now and then), so treating this one as RC but not the others is rather inconsistent: https://security-tracker.debian.org/tracker/source-package/libv8 https://security-tracker.debian.org/tracker/source-package/libv8-3.14 If there were bugs opened for those CVE-s those should have been opened with grave severity, too. Note that unimportant there indicates lack of security support for the package. This is confusing. Please don't mark them as unimportant because in this context unimportant is defined differently. https://security-tracker.debian.org/tracker/status/unimportant : This page lists packages that are affected by issues that are considered unimportant from a security perspective. These issues are thought to be unexploitable or uneffective in most situations (for example, browser denial-of-services). If there is interest in security support for libv8, that is a good thing, but a lot more needs to be done for that to be true. Well, there is a long way to go, I agree. Thank you for helping the Security Team and keeping the bugs and CVE-s updated. Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760385: lowering severity of bugs not tracked by release team
On Sun, Dec 21, 2014 at 9:11 AM, Bálint Réczey wrote: The problem still remains that the backlog of libv8 security issues never get fixed (except for a new upstream every now and then), so treating this one as RC but not the others is rather inconsistent: https://security-tracker.debian.org/tracker/source-package/libv8 https://security-tracker.debian.org/tracker/source-package/libv8-3.14 If there were bugs opened for those CVE-s those should have been opened with grave severity, too. Here you go: http://bugs.debian.org/773671 Good luck! Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760385: lowering severity of bugs not tracked by release team
Quoting Michael Gilbert (2014-12-20 11:06:47) On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: control: severity -1 important There is no security support for libv8 in jessie, so security issues aren't RC. Could you please add some links to explain that? I was about to fix this issue in an NMU after double-checking the fix. Severity doesn't say anything about whether or not a bugs can be fixed, so you can still do that. Anyway it was decided recently on the security team ml. I find it sensible for the security team to give up on maintaining some packages - and I find it great to try communicate that to our users by use of the debian-security-support package. Just now I learned from above bugreport that the security team also actively *lower* bugreports to avoid them being treated as release candidate, for packages not maintained by the security team. That I find a horrible approach: Severity of a bug is independent on whether it will be fixed or not. The more proper tag to use is *-ignore, IMO. Please let us not hide problems! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#760385: lowering severity of bugs not tracked by release team
[sent again, cc correct list address this time] Quoting Michael Gilbert (2014-12-20 11:06:47) On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: control: severity -1 important There is no security support for libv8 in jessie, so security issues aren't RC. Could you please add some links to explain that? I was about to fix this issue in an NMU after double-checking the fix. Severity doesn't say anything about whether or not a bugs can be fixed, so you can still do that. Anyway it was decided recently on the security team ml. I find it sensible for the security team to give up on maintaining some packages - and I find it great to try communicate that to our users by use of the debian-security-support package. Just now I learned from above bugreport that the security team also actively *lower* bugreports to avoid them being treated as release candidate, for packages not maintained by the security team. That I find a horrible approach: Severity of a bug is independent on whether it will be fixed or not. The more proper tag to use is *-ignore, IMO. Please let us not hide problems! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#760385: lowering severity of bugs not tracked by release team
On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote: [sent again, cc correct list address this time] Quoting Michael Gilbert (2014-12-20 11:06:47) On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: control: severity -1 important There is no security support for libv8 in jessie, so security issues aren't RC. Could you please add some links to explain that? I was about to fix this issue in an NMU after double-checking the fix. Severity doesn't say anything about whether or not a bugs can be fixed, so you can still do that. Anyway it was decided recently on the security team ml. I'm not aware of it having been decided that the security team were the arbiters of release criticality in such situations. I find it sensible for the security team to give up on maintaining some packages - and I find it great to try communicate that to our users by use of the debian-security-support package. Just now I learned from above bugreport that the security team also actively *lower* bugreports to avoid them being treated as release candidate, for packages not maintained by the security team. That I find a horrible approach: Severity of a bug is independent on whether it will be fixed or not. The more proper tag to use is *-ignore, IMO. The setting of -ignore by people other the Release Team (or those who have previously discussed doing so, e.g. for certain classes of bug in stable) is still wrong. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760385: lowering severity of bugs not tracked by release team
On Sat, Dec 20, 2014 at 6:15 AM, Adam D. Barratt wrote: On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote: [sent again, cc correct list address this time] Quoting Michael Gilbert (2014-12-20 11:06:47) On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: control: severity -1 important There is no security support for libv8 in jessie, so security issues aren't RC. Could you please add some links to explain that? I was about to fix this issue in an NMU after double-checking the fix. Severity doesn't say anything about whether or not a bugs can be fixed, so you can still do that. Anyway it was decided recently on the security team ml. I'm not aware of it having been decided that the security team were the arbiters of release criticality in such situations. The severity was bumped to grave by Moritz about a month ago, likely to get the libv8 maintainers to actually pay attention to their vast volume of unaddressed security issues. Now that it's been decided that libv8 won't get security support in jessie, it seems perfectly reasonable to move back to the original severity, which is important. I find it sensible for the security team to give up on maintaining some packages - and I find it great to try communicate that to our users by use of the debian-security-support package. Just now I learned from above bugreport that the security team also actively *lower* bugreports to avoid them being treated as release candidate, for packages not maintained by the security team. That I find a horrible approach: Severity of a bug is independent on whether it will be fixed or not. The more proper tag to use is *-ignore, IMO. The release team will still consider important bug fixes, you just need to ask for a pre-unblock. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760385: lowering severity of bugs not tracked by release team
Control: severity -1 grave Hi Mike, 2014-12-20 20:57 GMT+01:00 Michael Gilbert mgilb...@debian.org: On Sat, Dec 20, 2014 at 6:15 AM, Adam D. Barratt wrote: On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote: [sent again, cc correct list address this time] Quoting Michael Gilbert (2014-12-20 11:06:47) On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: control: severity -1 important There is no security support for libv8 in jessie, so security issues aren't RC. Could you please add some links to explain that? I was about to fix this issue in an NMU after double-checking the fix. Severity doesn't say anything about whether or not a bugs can be fixed, so you can still do that. Anyway it was decided recently on the security team ml. I'm not aware of it having been decided that the security team were the arbiters of release criticality in such situations. The severity was bumped to grave by Moritz about a month ago, likely to get the libv8 maintainers to actually pay attention to their vast volume of unaddressed security issues. Now that it's been decided that libv8 won't get security support in jessie, it seems perfectly reasonable to move back to the original severity, which is important. The proper severity of this bug is grave as set by Moritz IMO. I'm restoring it wearing my maintainer hat. I have also checked if the fix changed the ABI using objdump (did not change it) and uploaded a fixed version to DELAYED/2. The fix can be found in the usual packaging repository. Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#760385: lowering severity of bugs not tracked by release team
On Sat, Dec 20, 2014 at 7:52 PM, Bálint Réczey wrote: The proper severity of this bug is grave as set by Moritz IMO. I'm restoring it wearing my maintainer hat. It's not really constructive arguing over severity, so that's fine. You've saved yourself from needing to write an unblock request. The problem still remains that the backlog of libv8 security issues never get fixed (except for a new upstream every now and then), so treating this one as RC but not the others is rather inconsistent: https://security-tracker.debian.org/tracker/source-package/libv8 https://security-tracker.debian.org/tracker/source-package/libv8-3.14 Note that unimportant there indicates lack of security support for the package. If there is interest in security support for libv8, that is a good thing, but a lot more needs to be done for that to be true. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org