Re: Bits from the Security Team
On 2008-03-11, Don Armstrong <email@example.com> wrote:
> On Sun, 09 Mar 2008, Moritz Muehlenhoff wrote:
>> If you're opening a ticket for a security problem which is publicly
>> known, e.g. if it's announced on the project web site, please open a
>> ticket in the "Security" queue. These issues will be visible
> Is there any particular reason why we're duplicating this information
> that should already be present in the bts as bugs with severity
> serious tagged security marked found in a version in stable in RT?
> If there are some change to the BTS needed for the security team to
> track the non-embargoed issues more easily, I'd be glad to make (or at
> the very least discuss) them.
> From where I sit it seems non-ideal for both the security team and
> maintainers (as well as anyone else who is interested) to put this
> information in a system which isn't tied in strongly with the BTS or
> otherwise is unable to track package versioning.
This doesn't intend to duplicate information from the BTS. The RT
queues even contain direct links to the BTS. RT is used to distribute
work among the members of the security team and to keep pending
issues more organized.
RT mostly replaces sending to mail to firstname.lastname@example.org if a
maintainer wants to assist in preparing a security update. Mail doesn't
scale very well, so we've had occasional smaller issues being lost in