5 Feb
2014
5 Feb
'14
4:01 a.m.
Hi all, Can we get a clear policy about bug reports for security issues? If a user opens a bug report saying "Update foo to version xxx fixes CVE-xxxx-xxx", that will be closed. However, if the open a bug report "Package foo is affected by CVE-xxxx-xxx", and do not mention the update is the fix, no-one has an issue about it. I propose that any bug that has security implications should not be closed until the bug is fixed. Whether or not an update is the correct fix should not matter. Allan