Re: Bad press related to (missing) Debian security

To: Michael Stone <mstone@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Bad press related to (missing) Debian security
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 28 Jun 2005 01:56:55 +0200
Message-id: <[🔎] 20050627235654.GA6326@informatik.uni-bremen.de>
In-reply-to: <[🔎] 20050627205128.GL9591@mathom.us>
References: <[🔎] 1119878719.42bffe3fdf2ba@webmail.in-berlin.de> <[🔎] 200506271550.24151.waja@gmx.de> <[🔎] 1119880458.22070.237235052@webmail.messagingengine.com> <[🔎] 200506271700.29891.jluehr@gmx.net> <[🔎] 42C04102.10307@zombino.com> <[🔎] 20050627182637.GN9833@alcor.net> <[🔎] 20050627183612.GN3081@morgul.net> <[🔎] 20050627205128.GL9591@mathom.us>

In gmane.linux.debian.devel.security, you wrote:
>>Part of the problem with security updates has to do with the fact that
>>it's just difficult to coordinate the work.  Even when Wichert, mdz, and
>>others were more active, Joey still did most of the work because it was
>>often easier for one person to keep track of everything.
>
> That's exactly it. There's no effective tracking of security problems,
> and some people don't see this as a problem. That makes it extremely
> difficult for others to see what needs to be done.

Have a look at the system we use for the testing security team (I always
thought it originated in the security team):
http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html

This system is so efficient that most communication is basically made
through svn log messages.

A similar way would be very nice for stable security support as well.
The whole embargo thing about stable security is overrated anyway; as far
as I can see it for May and June only mailutils, qpopper and ppxp were
embargoed, so that they hadn't been publicly known when the DSA was published
(and even for mailutils and qpopper there was a small time frame of 1-2 days
between first vendor fix and the DSA).
The majority of all issues could be handled a lot more transparent, IMO.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Bad press related to (missing) Debian security
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: martin f krafft <madduck@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Bad press related to (missing) Debian security
  - From: "W. Borgert" <debacle@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Jan Wagner <waja@gmx.de>
- Re: Bad press related to (missing) Debian security
  - From: "Carl-Eric Menzel" <calle-debian@bitforce.com>
- Re: Bad press related to (missing) Debian security
  - From: Jan Lühr <jluehr@gmx.net>
- Re: Bad press related to (missing) Debian security
  - From: Adam Majer <adamm@zombino.com>
- Re: Bad press related to (missing) Debian security
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Bad press related to (missing) Debian security
Next by Date: Re: Bad press related to (missing) Debian security
Previous by thread: Re: Bad press related to (missing) Debian security - action
Next by thread: Re: Bad press related to (missing) Debian security
Index(es):
- Date
- Thread