[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Security Team

* Guido Günther:

> Hi Moritz,
> On Sun, Mar 09, 2008 at 11:05:11PM +0100, Moritz Muehlenhoff wrote:

>> The Security Team is now using Request Tracker to coordinate work 
>> and our RT processes have already been refined a lot.
>> If you're a package maintainer working towards a security update,
>> you're now encouraged to open a ticket directly. You will be kept in
>> CC during the life time of the ticket. If you're opening a ticket for
>> a security problem, which is not yet publicly known, e.g. if you've
>> discovered it by yourself or if you have been contacted by upstream,
>> please open a ticket in the "Security - Private" queue. These
>> issues will only be visible by the Security Team.

> Should the RT also be used for breackage caused by a security update?

Sure, but keep in mind that RT is intended for coordinating the actual
upload, and not primarily for reporting the bug itself.

> Is the security team interested in this kind of information our should
> this be handled by the maintainer?

Maintainer involvement is always desirable because it's better if
someone familiar with the software prepares the upload.  With complex
packages, maintainer involvement is a must.

It's not clear from the bug reports what's causing this regression, so
there's little what we (the security team) can do what other interested
parties can't do better and more quickly.

Reply to: