On Tue 11 Jun 2019 at 09:53:50 +0200, Martin Steigerwald wrote: > severity: important > thanks > > Hi Brian, > > Brian Potkin - 10.06.19, 21:32: > > Severity: critical > > thanks > > > > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote: > > > Package: okular > > > Version: 4:17.12.2-2 > > > Severity: critical > > > Tags: upstream security > > > > > > > > > > > > "critical" because a document should always go to where it is sent. > > > Please reduce the severity if I have overestimated the security > > > implications. > > > > > > The CUPS version being used is 2.2.8-5 and cups-browsed is not > > > running. The issue was encountered while taking another look at > > > #911702.> > […] > > > The job is always sent to a local queue when its destination > > > precedes > > > realq_desktop alphabetically. > […] > > I have retested this. There is no change on the present unstable. I > > cannot see why a confidential print job going to a staff printer is > > anything but a security issue. Maybe this is something that merits > > the tag of normal but explanations are in short supply. > > Brian, before raising a bug severity to the highest severity possible, > please read and understand the Debian's release team guidelines > regarding release critical bugs¹ as well as the general descriptions of > bug severities². > > A "critical" bug is a bug that introduces a (remotely exploitable) > security hole on systems you install the package to. A "grave" bug is a > bug that introduces a (remotely exploitable) security hole allowing > access to the accounts of users using the package.
Thank you, Martin, for taking the time and trouble to explain. I admit to feeling uneasy about raising the severity level and did give it some thought - but obviously not enough. Anyway, something it's for me to take into account for the future. > None of this is the case here. > > If at all, the bug might be "serious" if in the maintainers opinion it > would make the package unsuitable for release. > > Now please respect the reduced bug severity. Raising the severity again > won't get you any priority handling with an already understaffed Debian > Qt/KDE team. This is a community of people who are mostly doing unpaid > work. I have no intention of touching the severity level again. > Two ways to use your (and our) time in a more productive manner are: > > 1) Retest with Okular 18.04 from Debian experimental (in case you run > buster/sid). Or start KDE Neon in a machine and try with the newest > Okular available there. There might be time for me to do both of these today or tomorrow. > 2) Remind upstream in a friendly way to have a look at the issue. Once > there is a patch upstream it is very likely it could be backported for > buster. Maybe it would be an idea to raise the upstream bug to KDE's > security team. You seem to have done that. Thanks. Regards, Brian.