[arch-dev-public] Bug reports for security issues fixed by updates
Hi all, Can we get a clear policy about bug reports for security issues? If a user opens a bug report saying "Update foo to version xxx fixes CVE-xxxx-xxx", that will be closed. However, if the open a bug report "Package foo is affected by CVE-xxxx-xxx", and do not mention the update is the fix, no-one has an issue about it. I propose that any bug that has security implications should not be closed until the bug is fixed. Whether or not an update is the correct fix should not matter. Allan
[2014-02-05 14:01:59 +1000] Allan McRae:
If a user opens a bug report saying "Update foo to version xxx fixes CVE-xxxx-xxx", that will be closed. However, if the open a bug report "Package foo is affected by CVE-xxxx-xxx", and do not mention the update is the fix, no-one has an issue about it.
I propose that any bug that has security implications should not be closed until the bug is fixed. Whether or not an update is the correct fix should not matter.
Let's not make a specific rule for security issues: the above makes complete sense for any sort of critical bug. In fact, I can't see what kind of maintainer would close a bug report just because the fix is included in a new release... -- Gaetan
On 02/05/2014 01:01 AM, Allan McRae wrote:
Hi all,
Can we get a clear policy about bug reports for security issues?
If a user opens a bug report saying "Update foo to version xxx fixes CVE-xxxx-xxx", that will be closed. However, if the open a bug report "Package foo is affected by CVE-xxxx-xxx", and do not mention the update is the fix, no-one has an issue about it.
I propose that any bug that has security implications should not be closed until the bug is fixed. Whether or not an update is the correct fix should not matter.
Allan
Sounds good, allowing security issues reported even if the package is outdated. At least we have two types of security issues, one with know exploit (critical) and other theorical under uncommon conditions (high). Maybe just for making rules easy, we should allow all kind of security reports. This should be explicit specified on the wiki and maybe on the "Introductory message" of the flyspray, to avoid any kind of ambiguity ;) -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
participants (3)
-
Allan McRae
-
Gaetan Bisson
-
Gerardo Exequiel Pozzi