I only advise that this happens IF and ONLY IF those alerting multiple vendors says it is ok,
I agree. We don't want to be left out in the cold. If a consensus could be obtained in the security community then we can make it standing, documented Debian policy.
and IF and ONLY IF it gets put out on widely usedchannels, in a context not debian specific. (bugtraq, for instance)If we just warn debian users, we do a disservice to other vendors.
I don't see why. If other vendors keep their users in the dark when they don't have to (i.e., alerting party says 'there is a bug' notification is OK), then they are doing their own users a disfavor. Ok course, quite a few DSA's go to bugtraq anyway, so these alerts might too.
Attachment:
pgp1QxdI4ZRfB.pgp
Description: PGP signature