Your message dated Mon, 4 Jan 2010 15:44:50 +0100
with message-id <[email protected]>
and subject line Re: Bug#372720: Mode experts allows to bypass the reportbug
criticity limitations
has caused the Debian Bug report #372720,
regarding reportbug: Critical bug severity description misleading
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
372720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=372720
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: reportbug
Version: 3.20
Severity: minor
The critical bug severity description talks about introducing a
security issue, but then the next level insists that this
be a root level security issue or degrades the severity. Which is
correct?
Picking the only remaining option degrades the severity, despite
Debian kernel having known privilege escalations.
This may be a policy issue.
This may be resolved with #362947 although I don't think it is a duplicate as
such.
-- Package-specific info:
** /home/srw/.reportbugrc:
reportbug_version "3.18"
mode novice
ui text
email "[email protected]"
no-cc
header "X-Debbugs-CC: [email protected]"
smtphost bugs.debian.org
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.2
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages reportbug depends on:
ii python2.3 2.3.5-9.1 An interactive high-level object-o
Versions of packages reportbug recommends:
pn python2.3-cjkcodecs | python2 <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi all,
I think below I've provided the best explanation of the bifurcation of
severities for critical and grave, and a reason why I'm not about to
change reportbug about it. Hence I'm closing this report, thanking
those that partecipate to it.
Regards,
Sandro
On Tue, Jun 23, 2009 at 14:57, Sandro Tosi <[email protected]> wrote:
> Hi Simon,
> thanks for the prompt reply
>
> On Tue, Jun 23, 2009 at 13:58, Simon Waters<[email protected]> wrote:
>> Sandro Tosi wrote:
>>>
>>> do you find this solution acceptable? Can we then consider this bug
>>> closed?
>>
>> I feel it is unacceptable, but it comes down to Debian policy and procedure
>> issues I'm not familiar enough to comment on.
>
> let's see :)
>
>> The point of this mode is to guide users unfamiliar with Debian policy to
>
> if we talk only about "users" they then to exaggerate the level of a
> bug because make their system broken without looking at the situation
> as a whole distribution.
>
>> make a good bug report, this bug refers to a feature that in some cases they
>> will file a bug as Grave, when it should be Critical.
>
> The distintion is so small, and it's coded in the policy
>
>> If Debian procedures ensure Grave bugs are reviewed as promptly as Critical
>> bugs, then this bug is unimportant
>
> they are both RC (release critical): Debian release when the count of
> RC bugs goes to 0 (or very near to, as decided by release team); so
> yes, they are treated both as "urgent" bugs to fix asap.
>
>> (but then why have a Critical level in that case?).
>
> that's the point. it is clarified here [1]:
>
> critical
> makes unrelated software on the system (or the whole system)
> break, or causes serious data loss, or introduces a security hole on
> systems where you install the package.
> grave
> makes the package in question unusable or mostly so, or causes
> data loss, or introduces a security hole allowing access to the
> accounts of users who use the package.
>
> [1] http://www.debian.org/Bugs/Developer#severities
>
> Now honestly how many users (*not* developers) are able to correctly
> identify what severity to choose?
>
>> If not, then this bug might result in Critical issues not being
>> dealt with as promptly as they should.
>
> both they are addressed as soon as possible.
>
>> I don't think we can assume people using a mode to assist them with bug
>> reporting will use an expert mode or other workaround (email the bug
>> system), they may assume that the tool is doing the "right thing".
>
> 'expert' mode is here to assist people that can do things possible
> with wide impact, so that lower modes have stricter rules.
>
>> I appreciate it is difficult, as there are competing interests in reducing
>> spurious reporting of critical bugs, and also of ensuring genuinely critical
>> issues are dealt with promptly.
>
> critical and grave are very important bugs, but as per policy they
> have different meaning for *the project* not for the *users*.
>
> Let me make an example: if the driver for my video board stops working
> upon upgrade, the bug is grave and NEVER critical. Instead, if a
> package does "rm -rf /etc/" in this packaging script, then it IS
> critical
>
> Cheers,
> --
> Sandro Tosi (aka morph, morpheus, matrixhasu)
> My website: http://matrixhasu.altervista.org/
> Me at Debian: http://wiki.debian.org/SandroTosi
>
--
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi
--- End Message ---