[arch-dev-public] Bug reports for security issues fixed by updates
allan at archlinux.org
Tue Feb 4 23:01:59 EST 2014
Can we get a clear policy about bug reports for security issues?
If a user opens a bug report saying "Update foo to version xxx fixes
CVE-xxxx-xxx", that will be closed. However, if the open a bug report
"Package foo is affected by CVE-xxxx-xxx", and do not mention the update
is the fix, no-one has an issue about it.
I propose that any bug that has security implications should not be
closed until the bug is fixed. Whether or not an update is the correct
fix should not matter.
More information about the arch-dev-public