Bug#454089: Resolution

Tue, 04 Dec 2007 23:57:29 -0800 

  Hi Nico,

On Tue, 04 Dec 2007 14:58:26 +0100
Nico Golde <[EMAIL PROTECTED]> wrote:

> Hi Colin,
> * Colin Leroy <[EMAIL PROTECTED]> [2007-12-04 13:05]:
> > This bug is going to be fixed.
> > 
> > Would it be too much to ask the submitter to handle security issues
> > privately until they're resolved, or is it more interesting to have
> > them published all over the place[*] when no solution is available?
> [...] 
> To make it short yes. I do not share your policy for 
> handling security relevant bugs especially if you consider 

  This is not a upstream policy, is how most people expect security bugs to
be handled and is part of our Developers Reference [0]. I also know
confidentiality it's not required for minor bugs.


> that upstream authors are fairly often unresponsive and this 
> bug is of minor importance.

  Yep I agree the bug has minor importance, but generalising on upstream
unresponsiveness as justification for not sending a notice is not a good
idea. Mainly because it makes you look like you don't think or read before
posting, specially when the upstream of that precise script is also the
package maintainer. It also gives arguments to upstreams on generalising how
stupid DDs can be... :-P

> This is no remote root exploit so I don't see your problem. If you don't

  I don't see your problem either in sending a private mail first, specially
when there's a explicit request to do it from upstream.

> want people to write about what you do, then you should not publish 
> software. What I did is seing a bug and using the BTS of my 
> distribution to report it, nothing more.

  Pretending you're 'just using the BTS' is even more stupid than the
previous justification or reveals a serious lack of knowledge about how
security bugs are spread.

  I know Colin's words were probably not in the best tone, but his request
is fair: nobody likes reading "There was no vendor-supplied solution at the
time of entry." in a security tracker when he had no opportunity to solve the
problem.

  Your bug report was good, there was no need to made stupid justifications,
and Colin wasn't saying the opposite, just requested coordination.

  BTW, the bug is already closed.

  regards,

[0]
http://www.us.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Are you a turtle?»

Attachment: signature.asc
Description: PGP signature

Reply via email to