Hi Raphael, I just read at http://www.us.debian.org/Bugs/Developer.en.html#severities and took the one that made more sense to me, there the only severity that talks about "security" is "critical" so I took that. I'm not a bug vodoo, I was just trying to give a hand marking bugs.
Anyway, it's always good to learn a bit more on every matter, so thanks for the lesson and accept my appologies for messing up your bug reports. Sincerelly, Marc. On 1/19/07, Raphael Hertzog <[EMAIL PROTECTED]> wrote:
severity 407519 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: > severity critical > tags +patch > thanks > > The current Django versión in Debian has a security hole, so this bug > should be critical, and the patch recommended by the submitter should be > applied and brought to etch, I think. If I understand the bug correctly, the filename of the .po must be modified to include commands with backticks... in other word, the malicious intent is easily recognisable. I expect that in 99,9% of the time, the person starting compile-messages just copied/installed the .po files where required... and he certainly would notice that the filename look very strange compared to the other files ! So I really don't agree with severity critical... which brings to the point that you shouldn't change the severity without justifying your statement. "has a security hole" is a bit short without explaining a likely case of security breach. In particular, when upstream has not considered the risk serious enough to warrant a point release... Of course, I'd like to hear opinions from others. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/