On Saturday 26 April 2008 02:07, Don Armstrong wrote: > On Sat, 26 Apr 2008, Paul Wise wrote: > > I'd prefer the security team did not delay fixes at all by default. > > Exceptions for specific maintainers, transitions or other reasons > > are fine too of course. > > For stable and testing, I agree. However, for unstable and > experimental the maintainer should be at least given a chance to > resolve the issue. [That is to say, I object to filing a bug and > immediately NMUing for unstable; in almost all cases the bug should be > a few days old before that happens.] I agree with that. The cases where the available "patch" for a security issue was insufficient or broke other things are not quite rare. The maintainer of a package is the first one responsible for it and should be given the opportunity to comment on the patch and/or apply it himself. At least a few days, and of course depending on the impact of the bug: no need to rush in patches for low impact bugs. cheers, Thijs
Attachment:
pgpyXLJqSEu_e.pgp
Description: PGP signature