[arch-dev-public] Bug reports for security issues fixed by updates
bisson at archlinux.org
Tue Feb 4 23:39:00 EST 2014
[2014-02-05 14:01:59 +1000] Allan McRae:
> If a user opens a bug report saying "Update foo to version xxx fixes
> CVE-xxxx-xxx", that will be closed. However, if the open a bug report
> "Package foo is affected by CVE-xxxx-xxx", and do not mention the update
> is the fix, no-one has an issue about it.
> I propose that any bug that has security implications should not be
> closed until the bug is fixed. Whether or not an update is the correct
> fix should not matter.
Let's not make a specific rule for security issues: the above makes
complete sense for any sort of critical bug.
In fact, I can't see what kind of maintainer would close a bug report
just because the fix is included in a new release...
More information about the arch-dev-public