[Pkg-javascript-devel] Bug#760385: lowering severity of bugs not tracked by release team
Adam D. Barratt
adam at adam-barratt.org.uk
Sat Dec 20 11:15:26 UTC 2014
On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote:
> [sent again, cc correct list address this time]
>
> Quoting Michael Gilbert (2014-12-20 11:06:47)
> > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote:
> >> On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote:
> >>> control: severity -1 important
> >>>
> >>> There is no security support for libv8 in jessie, so security issues
> >>> aren't RC.
> >> Could you please add some links to explain that?
> >> I was about to fix this issue in an NMU after double-checking the
> >> fix.
> >
> > Severity doesn't say anything about whether or not a bugs can be
> > fixed, so you can still do that. Anyway it was decided recently on
> > the security team ml.
I'm not aware of it having been decided that the security team were the
arbiters of release criticality in such situations.
> I find it sensible for the security team to give up on maintaining some
> packages - and I find it great to try communicate that to our users by
> use of the debian-security-support package.
>
> Just now I learned from above bugreport that the security team also
> actively *lower* bugreports to avoid them being treated as release
> candidate, for packages not maintained by the security team. That I
> find a horrible approach: Severity of a bug is independent on whether it
> will be fixed or not. The more proper tag to use is *-ignore, IMO.
The setting of -ignore by people other the Release Team (or those who
have previously discussed doing so, e.g. for certain classes of bug in
stable) is still wrong.
Regards,
Adam
More information about the Pkg-javascript-devel
mailing list