Launchpad itself

unfair heat rating

Bug #667215 reported by Tomek Bury
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Invalid
Undecided
Unassigned

Bug Description

Any security issue gets 400 heat points for starters: 250 for being security flaw +150 for private flag. This one:

https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/657976/comments/48

is severe usability issue and scored only 162 so far. I've expected that "netbook release unusable on netbooks" is critical and hot as hell, but that's not the case. I don't think that the boost of 400 points is fair, at least in this particular case.

After all, what's the point of securing software that doesn't work?

(marking it as security vulnerability to prove my point)

See original description
Revision history for this message
Tomek Bury (tomek-bury) wrote :

As you can see the heat is 4 flames while "netbook release unusable on netbooks" scored 0.

Tomek Bury (tomek-bury)
description: updated
description: updated
Revision history for this message
Deryck Hodge (deryck) wrote :

While I appreciate that you filed a bug on your issue, this is not a security bug. Please do not mark bugs as security bugs just to make a point.

security vulnerability: yes → no
visibility: private → public
Revision history for this message
Tomek Bury (tomek-bury) wrote :

It was purely for demonstration purposes, thanks for changing the settings back.

The point remains valid though. Usability and security issues should be a bit more balanced, otherwise security bugs easily become resource hogs.

tags: added: story-bug-heat
Revision history for this message
Gavin Panella (allenap) wrote :

> The point remains valid though. Usability and security issues should
> be a bit more balanced, otherwise security bugs easily become
> resource hogs.

Everybody has their own pet issue though. While you may consider
usability to be very important - and it is - someone else may be
concerned about reliability or durability, or something else.

Security bugs - potentially involving widescale theft or damage of
data, resultant economic costs, and secondary effects - are without a
doubt something that project owners should have their attention
urgently drawn to.

The main goal of bug heat, if I remember correctly, was to give people
another way to discover what *new* bugs they perhaps ought to pay
attention to in their project, to help them triage. Once a bug has
been triaged, bug heat is much less interesting.

If a security bug is present but not very important, it can be triaged
as such. Looking at a project's new bugs ordered by bug heat [1] can
be a good way to organize triaging when there are many new bugs to
consider. Security bugs will immediately get to the top of that list
because they should be triaged first.

[1] Using Launchpad Bugs as an example,

  https://bugs.launchpad.net/malone/+bugs?field.status=New&orderby=-heat

shows new bugs by heat, and will not show any security bugs (or any
other bugs) that have been triaged.

Gavin Panella (allenap)
Changed in malone:
status: New → Invalid
Revision history for this message
Tomek Bury (tomek-bury) wrote :

> Everybody has their own pet issue though. While you may consider
> usability to be very important - and it is - someone else may be
> concerned about reliability or durability, or something else

That's exactly my point.

> The main goal of bug heat, if I remember correctly, was to give people
> another way to discover what *new* bugs they perhaps ought to pay
> attention to in their project, to help them triage.

But that's not how heat indicator works, as far as I can tell. Massive heat boost for security-related issues turns them into pet issues no matter what kind of pet is your project's favourite.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.