On Sat, Dec 20, 2014 at 6:15 AM, Adam D. Barratt wrote:
> On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote:
>> [sent again, cc correct list address this time]
>> Quoting Michael Gilbert (2014-12-20 11:06:47)
>> > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote:
>> >> On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote:
>> >>> control: severity -1 important
>> >>> There is no security support for libv8 in jessie, so security issues
>> >>> aren't RC.
>> >> Could you please add some links to explain that?
>> >> I was about to fix this issue in an NMU after double-checking the
>> >> fix.
>> > Severity doesn't say anything about whether or not a bugs can be
>> > fixed, so you can still do that. Anyway it was decided recently on
>> > the security team ml.
> I'm not aware of it having been decided that the security team were the
> arbiters of release criticality in such situations.
The severity was bumped to grave by Moritz about a month ago, likely
to get the libv8 maintainers to actually pay attention to their vast
volume of unaddressed security issues.
Now that it's been decided that libv8 won't get security support in
jessie, it seems perfectly reasonable to move back to the original
severity, which is important.
>> I find it sensible for the security team to give up on maintaining some
>> packages - and I find it great to try communicate that to our users by
>> use of the debian-security-support package.
>> Just now I learned from above bugreport that the security team also
>> actively *lower* bugreports to avoid them being treated as release
>> candidate, for packages not maintained by the security team. That I
>> find a horrible approach: Severity of a bug is independent on whether it
>> will be fixed or not. The more proper tag to use is *-ignore, IMO.
The release team will still consider important bug fixes, you just
need to ask for