It seems that many package maintainers (perhaps even a majority) are not aware of the recommended methods for handling security issues in their packages. These procedures exist to help ensure that correct security advisories are released in a timely manner, and that fixes are included in future Debian releases. I urge anyone who participates in package maintenance to read this section in the Developer's Reference: http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security which documents the current recommended procedures. It has recently been updated with additional details and clarifications. It describes what you should do when you find out about a security-related bug in one of your packages, and how you can help to provide updates for stable releases. Security updates can be very labor-intensive, and it helps greatly for individual package maintainers to share the burden. Please feel free to contact me with any questions about this subject. -- - mdz
Attachment:
pgp_GwqDTCJDi.pgp
Description: PGP signature