On Sun, Aug 24, 2008 at 10:05:30PM +0400, Dmitry E. Oboukhov wrote: > Package: initramfs-tools > Severity: grave
> This message about the error concerns a few packages at once. I've > tested all the packages (for Lenny) on my Debian mirror. All scripts > of packages (marked as executable) were tested. This is far below the quality I expect from a mass bug filing that's been reviewed by debian-devel. Mass bugfilings at RC severity need to be held to a much higher standard than this, particularly when we're in the middle of a release freeze. It was certainly not my impression that "Possible mass bug filing" as a subject line meant that bug reports were imminent. Problems with this report: - the justification for "grave" severity is that it's a security hole, but no "security" tag was set - information is available about what versions are affected, but no Version: pseudoheader is set - the contents are 100% generic and requires the maintainer to search through a list of packages/files to find out what script is supposed to be vulnerable - there is no information in the bug report about the /methodology/ used to detect vulnerable scripts, leaving the maintainer no opportunity to provide feedback about bugs in said methodology and finally, - this bug report is a false positive. /usr/share/initramfs-tools/init is a script installed in the initrd, which is a single-user context; there's no possibility that this is exploitable. Please take responsibility for providing the missing information to the package maintainers, and for correcting the false positives that you've filed. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
