Hi Mike, First, I had to cancel the upload because of too strict reverse dependencies. Dear fellow JavaScript maintainers please figure out a less strict dependency graph because every otherwise fully compatible libv8 update would break several packages.
2014-12-21 2:13 GMT+01:00 Michael Gilbert <mgilb...@debian.org>: > On Sat, Dec 20, 2014 at 7:52 PM, Bálint Réczey wrote: >> The proper severity of this bug is grave as set by Moritz IMO. I'm >> restoring it wearing my maintainer hat. > > It's not really constructive arguing over severity, so that's fine. I appreciate the work done by the Security Team but to work together we have to know what actions can be taken by the Security Team. Increasing severity of bugs is business as usual and perfectly reasonable, but _decreasing_ the severity _based on the availability of security support_ was crossing a line IMO. It seems the line was there based on Jonas' and Adam's email. To clarify my position the Security Team can and is expected to decrease the severity in case a security bug's impact turns out to be less than originally expected but in this particular case this rule does not seem to be applicable. > You've saved yourself from needing to write an unblock request. > > The problem still remains that the backlog of libv8 security issues > never get fixed (except for a new upstream every now and then), so > treating this one as RC but not the others is rather inconsistent: > https://security-tracker.debian.org/tracker/source-package/libv8 > https://security-tracker.debian.org/tracker/source-package/libv8-3.14 If there were bugs opened for those CVE-s those should have been opened with grave severity, too. > > Note that unimportant there indicates lack of security support for the > package. This is confusing. Please don't mark them as unimportant because in this context unimportant is defined differently. https://security-tracker.debian.org/tracker/status/unimportant : "This page lists packages that are affected by issues that are considered unimportant from a security perspective. These issues are thought to be unexploitable or uneffective in most situations (for example, browser denial-of-services)." > > If there is interest in security support for libv8, that is a good > thing, but a lot more needs to be done for that to be true. Well, there is a long way to go, I agree. Thank you for helping the Security Team and keeping the bugs and CVE-s updated. Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
