# [arch-dev-public] Bug reports for security issues fixed by updates

Gerardo Exequiel Pozzi vmlinuz386 at yahoo.com.ar
Wed Feb 5 01:17:46 EST 2014

On 02/05/2014 01:01 AM, Allan McRae wrote:
> Hi all,
>
> Can we get a clear policy about bug reports for security issues?
>
> If a user opens a bug report saying "Update foo to version xxx fixes
> CVE-xxxx-xxx", that will be closed.  However, if the open a bug report
> "Package foo is affected by CVE-xxxx-xxx", and do not mention the update
> is the fix, no-one has an issue about it.
>
> I propose that any bug that has security implications should not be
> closed until the bug is fixed.  Whether or not an update is the correct
> fix should not matter.
>
> Allan
>

Sounds good, allowing security issues reported even if the package is
outdated.

At least we have two types of security issues, one with know exploit
(critical) and other theorical under uncommon conditions (high). Maybe
just for making rules easy, we should allow all kind of security reports.

This should be explicit specified on the wiki and maybe on the
"Introductory message" of the flyspray, to avoid any kind of ambiguity ;)

--
Gerardo Exequiel Pozzi
\cos^2\alpha + \sin^2\alpha = 1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140205/4a72e755/attachment.asc>