On Saturday, July 19, Bruce Perens wrote > > I agree that the security manager has the authority to make interim > > releases without asking on debian-devel or the maintainer in "emergency > > situation". However, even the security manager has to follow our policy in > > that case. That is, he/she has to file a bug report against the package > > providing info and a u-diff for the maintainer about the changes he/she > > has done. > > I approve. > > > If there are no objections, I'll add that to the "Developers reference > > manual". > > Fine with me. A couple of points: o Sometimes I may not be able to post the diff on a public mailing list. So you might want to write something like "make the diff available to the maintainer" (implying it can also be done through private mail, etc.). o About posting announcements of fixes to bugtraq, etc. I'm not sure how welcome such announcements would be. If every vendor (all the Linux distributions, the *BSD and the commercial Unix people) started posting notices for every fix to (say) bugtraq, they'd quickly drown the discussion threads. And anyways there are things getting in place that should lessen the need to broadcast these announcements to every mailing list. The first thing is the Linux vendor-sec mailing, which will do 'group' announcements for all the Linux distribution about security problems. (People who read bugtraq will have seen the ld.so announcements... and Debian is in there.) The second thing would be a debian-security-announce@lists.debian.org where Debian-specific announcements would be sent. I emailed Pete about it, but he's out of the office for about a week. What mailing-list software are the Debian lists using? Since I doubt it can provide moderated lists that are both secure (unauthorised people can't post to the list even with forged headers) and fast (messages don't have to go through a human operator before being sent to the list), I'm very tempted to install ezmlm on master and do it myself. Is there anyone here to say that this would be a bad idea? Christian
Attachment:
pgp1gmdeLCYCo.pgp
Description: PGP signature