Re: can i upload this to security.d.o?

[Matt Zimmerman <mdz@debian.org>]

On Sun, Mar 14, 2004 at 11:54:02AM +0100, martin f krafft wrote:

> According to bug#231858, currently it's not possible to use
> grsecurity on Woody. The latest kernel on woody is 2.4.18, and
> apparently some security patches have propagated back into that
> kernel that break grsecurity.
> 
> Thus, my question: I'd be willing to fix grsecurity wrt woody and
> 2.4.18. Could I upload the fixed version to security.d.o? Or should
> I just declare grsecurity to be unusable on woody and tell people to
> get newer, non-woody kernels?

This is a common source of confusion which often comes up with the
'security' tag in debbugs, but I'm not sure where in the documentation it
should be clarified.  Clearly the developer's reference is not the right
place, because there is an entire section on security updates already which
it doesn't seem that you've read (it answers your question about uploading).

Put simply, having a bug in a security-related package is not the same as
having a security-related bug (vulnerability).  security.debian.org and DSAs
are used to address the latter, not the former.

If you want to address a severe bug in woody, the correct approach is to
upload to proposed-updates.

-- 
 - mdz