Re: RFC: Central version control for Debian
* Lars Wirzenius (firstname.lastname@example.org) [010130 21:54]:
> > What we must ultimatly do is not only secure our source but also
> > educate upstream. If that does not work and upstream keeps
> > putting out insecure software, we have two choices:
> > * publish exploits and force upstream to adopt changes
> > [- - -]
> This is what bugtraq and other existing forums are for, yes?
no, the security relevant bugs are posted there. Many
manufacturers (or programmers) do not care to fix something if it
is not shown that the bug is really security relevant and can in
fact be exploited. OpenBSD did not even care to check if the bug
was a security risk, they fixed it anyway.
To publish exploits of a bug is much more alarming then to say:
hey, there could be some risk here. it is like taking the gloves