[Pkg-javascript-devel] Bug#760385: lowering severity of bugs not tracked by release team

Bálint Réczey balint at balintreczey.hu
Sun Dec 21 14:11:48 UTC 2014


Hi Mike,

First, I had to cancel the upload because of too strict reverse
dependencies. Dear fellow JavaScript maintainers please figure out a
less strict dependency graph because every otherwise fully compatible
libv8 update would break several packages.

2014-12-21 2:13 GMT+01:00 Michael Gilbert <mgilbert at debian.org>:
> On Sat, Dec 20, 2014 at 7:52 PM, Bálint Réczey wrote:
>> The proper severity of this bug is grave as set by Moritz IMO. I'm
>> restoring it wearing my maintainer hat.
>
> It's not really constructive arguing over severity, so that's fine.
I appreciate the work done by the Security Team but to work together
we have to know what actions can be taken by the Security Team.
Increasing severity of bugs is business as usual and perfectly
reasonable, but _decreasing_ the severity _based on the availability
of security support_ was crossing a line IMO. It seems the line was
there based on Jonas' and Adam's email.
To clarify my position the Security Team can and is expected to
decrease the severity in case a security bug's impact turns out to be
less than originally expected but in this particular case this rule
does not seem to be applicable.

> You've saved yourself from needing to write an unblock request.
>
> The problem still remains that the backlog of libv8 security issues
> never get fixed (except for a new upstream every now and then), so
> treating this one as RC but not the others is rather inconsistent:
> https://security-tracker.debian.org/tracker/source-package/libv8
> https://security-tracker.debian.org/tracker/source-package/libv8-3.14
If there were bugs opened for those CVE-s those should have been
opened with grave severity, too.

>
> Note that unimportant there indicates lack of security support for the package.
This is confusing. Please don't mark them as unimportant because in
this context unimportant is defined differently.

https://security-tracker.debian.org/tracker/status/unimportant :
"This page lists packages that are affected by issues that are
considered unimportant from a security perspective. These issues are
thought to be unexploitable or uneffective in most situations (for
example, browser denial-of-services)."

>
> If there is interest in security support for libv8, that is a good
> thing, but a lot more needs to be done for that to be true.
Well, there is a long way to go, I agree.

Thank you for helping the Security Team and keeping the bugs and CVE-s updated.

Cheers,
Balint



More information about the Pkg-javascript-devel mailing list