[Secure-testing-team] Reporting useless bugs
Stefan Fritsch
sf at sfritsch.de
Fri Jan 12 18:20:08 CET 2007
Hi Thijs,
On Friday 12 January 2007 16:25, Thijs Kinkhorst wrote:
> In recent times, I've been receiving more bug reports against
> packages I maintain that are worded like above: they are
> "unspecified" vulnerabilities over "unspecified" vectors with
> "unknown" implications.
>
> Please, I appreciate it when bugs are filed, but what value do
> contentless bugs like the one above add? How can they be
> "important" when there's no information in them?
I agree that there needs to be at least some information that allows
one to identify the bug.
But in this case there is a link to a secunia advisory in the bug
report which claims "Fixed in version 2.9.2-rc1". So obviously the
changelog or the diff could be used to get more information.
Now the question is whether one should
1) delay the bug report until someone (either security team member or
someone else) had time to look into this closer and identify the
exact issues or
2) file the bug immediately to alert the maintainer (and allow him to
be that "someone" if he has time).
I think 2) is better, especially this close to the release, so that
the maintainer has more time to react.
Cheers,
Stefan
More information about the Secure-testing-team
mailing list