5 Feb
2014
5 Feb
'14
4:39 a.m.
[2014-02-05 14:01:59 +1000] Allan McRae:
If a user opens a bug report saying "Update foo to version xxx fixes CVE-xxxx-xxx", that will be closed. However, if the open a bug report "Package foo is affected by CVE-xxxx-xxx", and do not mention the update is the fix, no-one has an issue about it.
I propose that any bug that has security implications should not be closed until the bug is fixed. Whether or not an update is the correct fix should not matter.
Let's not make a specific rule for security issues: the above makes complete sense for any sort of critical bug. In fact, I can't see what kind of maintainer would close a bug report just because the fix is included in a new release... -- Gaetan