[2014-02-05 14:01:59 +1000] Allan McRae: > If a user opens a bug report saying "Update foo to version xxx fixes > CVE-xxxx-xxx", that will be closed. However, if the open a bug report > "Package foo is affected by CVE-xxxx-xxx", and do not mention the update > is the fix, no-one has an issue about it. > > I propose that any bug that has security implications should not be > closed until the bug is fixed. Whether or not an update is the correct > fix should not matter.
Let's not make a specific rule for security issues: the above makes complete sense for any sort of critical bug. In fact, I can't see what kind of maintainer would close a bug report just because the fix is included in a new release... -- Gaetan
