On Sat, Jan 19, 2002 at 01:39:59PM -0500, Anthony DeRobertis wrote:
Can't we satisfy not disclosing the vulnerability and letting
our users know by doing something like this:
Debian has been informed of a [<<type>>] vulnerability in
<<package>> [by <<someone>>]. We are preparing an updated
package, which will be available from security.debian.org
along with a DSA [on <<date>>].
No. If the information was given in confidence then the recipients
cannot in good conscience disclose *any* of the information. You can
argue the point with those who originated the information, but not those
who received it.