Control: severity -1 grave Hi Mike,
2014-12-20 20:57 GMT+01:00 Michael Gilbert <mgilb...@debian.org>: > On Sat, Dec 20, 2014 at 6:15 AM, Adam D. Barratt wrote: >> On Sat, 2014-12-20 at 11:48 +0100, Jonas Smedegaard wrote: >>> [sent again, cc correct list address this time] >>> >>> Quoting Michael Gilbert (2014-12-20 11:06:47) >>> > On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote: >>> >> On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert wrote: >>> >>> control: severity -1 important >>> >>> >>> >>> There is no security support for libv8 in jessie, so security issues >>> >>> aren't RC. >>> >> Could you please add some links to explain that? >>> >> I was about to fix this issue in an NMU after double-checking the >>> >> fix. >>> > >>> > Severity doesn't say anything about whether or not a bugs can be >>> > fixed, so you can still do that. Anyway it was decided recently on >>> > the security team ml. >> >> I'm not aware of it having been decided that the security team were the >> arbiters of release criticality in such situations. > > The severity was bumped to grave by Moritz about a month ago, likely > to get the libv8 maintainers to actually pay attention to their vast > volume of unaddressed security issues. > > Now that it's been decided that libv8 won't get security support in > jessie, it seems perfectly reasonable to move back to the original > severity, which is important. The proper severity of this bug is grave as set by Moritz IMO. I'm restoring it wearing my maintainer hat. I have also checked if the fix changed the ABI using objdump (did not change it) and uploaded a fixed version to DELAYED/2. The fix can be found in the usual packaging repository. Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpy6skfv+h+coqi_95e31r_msxvxty2cqrq4n4hzxsj...@mail.gmail.com
