Hi! Andres Salomon [2005-03-16 2:43 -0500]: > >>>> You seem to be implying that ubuntu is providing you with confidential > >>>> prior warning about kernel security holes, but I really doubt this, > >>> > >> > >> Actually, that was the case for a while (before ubuntu's kernel team went > >> on vacation, and I went on vacation). However, w/ all the vacations > >> that have been happening, it hasn't been the case for a few months. > >> > >> > > > > Rather, I was mistaken; they were things that had already been made > > public. Right, I never gave away details about undisclosed issues. At most I said to you "hey, there is another issue that will be published in two days, so rather wait with an upload". > > And, as a perfect example; > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0210 > > This has already been made public, and has been fixed in Ubuntu kernels > for 2 days. Sure would be nice the cve folks to let the rest of us in on > it, eh? Mitre generally lacks behind fairly badly with this. I think it is genrally easier to coordinate with the Ubuntu kernel and security teams. I track all issues that affect the Ubuntu kernel (which mostly affect Debian as well) and generally know patch URLS etc. Also, you can always get patches from the source packages, or get them from the arch repository. But in the long run I think it would be easier to apply for vendor-sec subscription. Joey is already subscribed, but since he does not deal with unstable updates, it would be good to have Andres on board. Personally I would apreciate and support Andres' subscription to vendor-sec. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature