Control: severity -1 grave
2014-12-20 20:57 GMT+01:00 Michael Gilbert <mgilb...@debian.org>:
> On Sat, Dec 20, 2014 at 6:15 AM, Adam D. Barratt wrote:
>> On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote:
>>> [sent again, cc correct list address this time]
>>> Quoting Michael Gilbert (2014-12-20 11:06:47)
>>> > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote:
>>> >> On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote:
>>> >>> control: severity -1 important
>>> >>> There is no security support for libv8 in jessie, so security issues
>>> >>> aren't RC.
>>> >> Could you please add some links to explain that?
>>> >> I was about to fix this issue in an NMU after double-checking the
>>> >> fix.
>>> > Severity doesn't say anything about whether or not a bugs can be
>>> > fixed, so you can still do that. Anyway it was decided recently on
>>> > the security team ml.
>> I'm not aware of it having been decided that the security team were the
>> arbiters of release criticality in such situations.
> The severity was bumped to grave by Moritz about a month ago, likely
> to get the libv8 maintainers to actually pay attention to their vast
> volume of unaddressed security issues.
> Now that it's been decided that libv8 won't get security support in
> jessie, it seems perfectly reasonable to move back to the original
> severity, which is important.
The proper severity of this bug is grave as set by Moritz IMO. I'm
restoring it wearing my maintainer hat.
I have also checked if the fix changed the ABI using objdump (did not
change it) and uploaded a fixed version to DELAYED/2.
The fix can be found in the usual packaging repository.