On Wed, Jul 12, 2006 at 01:10:49AM +0100, Sam Morris wrote:
> On Tue, 2006-07-11 at 17:02 -0700, Matt Zimmerman wrote:
> > > I'm upgrading this bug because checkrestart is currently useless at
> > > best, and a security problem at worst. It must be fixed or dropped.
> >
> > It is not a security problem, and it doesn't make the package unusable.
> > I agree that it should be dropped if it isn't feasible to fix it.
>
> I argue that it should be considered a security problem: it is possible
> for users to run it, and not realise that it doesn't work. The users may
> therefore not notice that they must restart a process in order to
> eliminate their exposure to a vulnerability (that was fixed by upgrading
> a library which that process makes use of).
This is a very tenuous argument; by this criteria, practically any
functionality bug could be considered a security problem ("the fonts in my
web browser are too small, therefore I can't read security advisories").
--
- mdz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
