Your message dated Sun, 23 Apr 2006 07:37:30 +0200 with message-id <20060423053730.GB31670@javifsp.no-ip.org> and subject line Fixed in CVS has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: http://www.debian.org/security/ seriously misleading about security infrastructure performance
- From: Filipus Klutiero <cheal@hotpop.com>
- Date: Sat, 19 Nov 2005 01:44:30 -0500
- Message-id: <E1EdMSc-0003Oi-M6@leo.ido.ath.cx>
Package: www.debian.org Severity: serious The header of the security page explains Debian's consideration of security issues and mentions an average security issues response time under 48 hours. I am certainly not the first person to notice this, but I have seen nothing about this issue since months. If someone doesn't agree that this is an order of magnitude too optimistic, I'll point to http://lwn.net/Articles/149976/ Note that I'll be happy to compile stats verifying whether the 48 hours response time is right if somebody can provide a method they think would prove it right. I make this a serious bug to get attention. Whatever happens to this bug's severity, I would really appreciate this issue to be treated. It's OK to have perhaps an underoptimal security infrastructure, as long as this is acknowledged and that there's no false claim about it. Actually, "Debian takes security very seriously." is just a questionable statement, but giving a statistic that wrong about it just kills credibility. Keep in mind, those two sentences are probably the first ones someone Google-ing for "Debian security" will read. Suggested fix : remove the two first sentences, at least the second.
--- End Message ---
--- Begin Message ---
- To: 339837-close@bugs.debian.org
- Subject: Fixed in CVS
- From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Date: Sun, 23 Apr 2006 07:37:30 +0200
- Message-id: <20060423053730.GB31670@javifsp.no-ip.org>
- Mail-followup-to: 339837-close@bugs.debian.org
I have fixed those claims in the CVS with the following patch: --- index.wml 27 Feb 2006 17:37:09 -0000 1.78 +++ index.wml 23 Apr 2006 05:35:03 -0000 1.79 @@ -2,8 +2,22 @@ #use wml::debian::recent_list #include "$(ENGLISHDIR)/releases/info" -<P>Debian takes security very seriously. Most security problems brought -to our attention are corrected within 48 hours.</P> +<P>Debian takes security very seriously. We handle all security problems +brought to our attention and are corrected within a reasonable timeframe. +Many advisories are coordinated with other free software vendors +and are published the same day a vulnerability is made public and +we also have a <a href="audit/">Security Audit</a> team that reviews +the archive looking for new or unfixed security bugs.</P> + +# "reasonable timeframe" might be too vague, but we don't have +# accurate statistics. For older (out of date) information and data +# please read: +# http://www.debian.org/News/2004/20040406 [ Year 2004 data ] +# and (older) +# http://people.debian.org/~jfs/debconf3/security/ [ Year 2003 data ] +# http://lists.debian.org/debian-security/2001/12/msg00257.html [ Year 2001] +# If anyone wants to do up-to-date analysis please contact me (jfs) +# and I will provide scripts, data and database schemas. <P>Experience has shown that "security through obscurity" does not work. Public disclosure allows for more rapid and better solutions to security problems. In Regards JavierAttachment: signature.asc
Description: Digital signature
--- End Message ---