Control: severity -1 wishlist Control: reassign -1 src:qemu 16.07.2020 06:10, Russell Coker wrote: > On Thursday, 16 July 2020 1:45:13 AM AEST Michael Tokarev wrote: >> Russel, what's the purpose of this bugreport, >> what you expect the maintainer to do with it? > > Forward upstream, you could work on it yourself, be information for anyone > else who wants to work on it, and be a warning for others about the potential > security issue they may not be aware of.
You can file the same bugreport upstream too. Upstream knows about this limitation, btw. I highly doubt anyone is looking at debian (or other) bugreports in a search for security warnings, so this doesn't work either. qemu debian package already have a ton of bugreports which just sitting there cluttering the list. They're valid, but they're, at the same time, are useless, - no one except me is looking at them, and the list is getting larger and larger so it becomes more and more difficult to find something actually useful-to-fix in there. This one is definitely of the same category. If you want this to be fixed, the best is to try to fix it yourself (note: spice is used for several years, and people rarerly even think about this), or talk with upstream about it (either using their bug tracking or the mailing list). You already have an option for hiding the spice password: it is to set the password using a monitor command. This can be automated, but it is definitely not as easy as using a password file. This is how libvirt is using it. So I'm lowering the bug severity, to at least save me from looking at this again. Thanks, /mjt
