Hi Moritz, 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff <j...@inutil.org>: > On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: >> package: src:libv8-3.14 >> severity: grave >> tags: security >> >> Hi, >> >> the following vulnerabilities were published for libv8-3.14. > > So if I'm understanding the discussion on debian-devel correctly > the libv8 maintainers want to see this treated as an RC-bug. > Please clarify your intentions, do you > > a) intent to fix these issues with patches and if that's not possible > remove libv8 along with its rev deps? > > b) want to keep this with RC severity and tag it jessie-ignore. > I would consider that rather broken since foo-ignore is used for > issues which are ignored for once, but which will be addressed > in release+1. I don't see the libv8 situation change upstream... The rationale behind opening the RC bugs was improving transparency on my side. I think more people follow bugs than the security tracker. I think the call between a) and b) is up to release management, but my interpretation for b) is a bit different. There are RC bugs ignored for several releases thus I think foo-ignore is not strictly for one-off issues and b) would be the proper way of letting liv8 released with Jessie if the security issues stay open.
Cheers, Balint > > c) plan something else I'm missing > > Cheers, > Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
