Quoting Wichert Akkerman (wakkerma@debian.org): > Previously James A. Treacy wrote: > > Because no one sent them to the webmaster. I'm not sure whose > > responsibility it is to do this. Anyway, if a short statement of > > the problem and the fix are sent to either webmaster@debian.org > > or debian-www@lists.debian.org it will be added. > > That's not true. There is a webmaster-security@debian.org alias to which > I sent the tcsh announcement. I have to admit I forgot to do that for > the bash announcement. If I remember J.D. Thomlinson is responsible for > handling the security pages. Unfortunately he seems to be missing in > action at the moment. If you want us to use webmaster@debian.org instead > please say so. Hmm. It looks like the latest thing on the security page is dated march 31, 1998. Also, I'm not sure that the page is particularly easy to use (e.g., it would be nice if there were clickable links to the new packages.) Is it safe to say that there won't be further security updates for older versions (rex, bo)? If so, why not use a format like that on the redhat: Package name Date Description Link to update Then, there should probably be a link to the security page from the errata page. I like the idea of keeping them seperate, but redhat users are going to look at the errata page for security fixes. It might also be nice to have a larger link from the front page to the security page--right now you really have to hunt for it, as it's off to the side in fine print. If I didn't miss any, the packages with announcements since the 2.0 release are: hylafax -- new version 4.0.2-5, in r1 cfingerd -- 1.3.2-11.0, in r1 mutt -- 0.91.2-2, in r1 ncurses3.4-dev -- 1.9.9g-8.9.1 (security update only mentions dev package, but shouldn't ncurses3.4 be updated too?) Superceeded by 1.9.9g-8.10? eperl -- 2.2.14-0.2, in r1 lpr -- hamm unaffected inn -- default config not vulnerable apache -- 1.3.0-5, in r1 bsdgames -- 2.1-3hamm1, in r1 seyon -- default config not vulnerable minicom -- default config not vulnerable netstd -- 3.07-2hamm.1 bind -- 8.1.2-3 bash -- 2.01.1-4 tcsh -- 6.07.06-5 I'd assume that packages updated in r1 should have that info noted, but the announcement and link should stick around for people still running the original release. If no one else wants to do all this, I could keep the page up to date and mail it to webmaster for posting. Mike Stone
Attachment:
pgpm3AkImhePv.pgp
Description: PGP signature