Hi Thijs, On Friday 12 January 2007 16:25, Thijs Kinkhorst wrote: > In recent times, I've been receiving more bug reports against > packages I maintain that are worded like above: they are > "unspecified" vulnerabilities over "unspecified" vectors with > "unknown" implications. > > Please, I appreciate it when bugs are filed, but what value do > contentless bugs like the one above add? How can they be > "important" when there's no information in them?
I agree that there needs to be at least some information that allows one to identify the bug. But in this case there is a link to a secunia advisory in the bug report which claims "Fixed in version 2.9.2-rc1". So obviously the changelog or the diff could be used to get more information. Now the question is whether one should 1) delay the bug report until someone (either security team member or someone else) had time to look into this closer and identify the exact issues or 2) file the bug immediately to alert the maintainer (and allow him to be that "someone" if he has time). I think 2) is better, especially this close to the release, so that the maintainer has more time to react. Cheers, Stefan _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
