Re: Bits from the Security Team

[Florian Weimer <fw@deneb.enyo.de>]

* Guido Günther:

> Hi Moritz,
> On Sun, Mar 09, 2008 at 11:05:11PM +0100, Moritz Muehlenhoff wrote:

>> The Security Team is now using Request Tracker to coordinate work 
>> and our RT processes have already been refined a lot.
>> If you're a package maintainer working towards a security update,
>> you're now encouraged to open a ticket directly. You will be kept in
>> CC during the life time of the ticket. If you're opening a ticket for
>> a security problem, which is not yet publicly known, e.g. if you've
>> discovered it by yourself or if you have been contacted by upstream,
>> please open a ticket in the "Security - Private" queue. These
>> issues will only be visible by the Security Team.

> Should the RT also be used for breackage caused by a security update?

Sure, but keep in mind that RT is intended for coordinating the actual
upload, and not primarily for reporting the bug itself.

> Is the security team interested in this kind of information our should
> this be handled by the maintainer?

Maintainer involvement is always desirable because it's better if
someone familiar with the software prepares the upload.  With complex
packages, maintainer involvement is a must.

It's not clear from the bug reports what's causing this regression, so
there's little what we (the security team) can do what other interested
parties can't do better and more quickly.