[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to manage security issues when the maintainer is not the developer

On Wed, 2008-04-16 at 13:55 +0200, Andrea De Iacovo wrote:
> Hi all.
> How do you think a maintainer should manage security issues when he is
> not the package developer? Should he/she either work alone to make
> patches or wait for the upstream patches/relases that solve the bug?

Notify upstream, work on the patch and stay in communication with
upstream as you work.

If you get a response from upstream, work together to come up with a
complete solution but don't let that process cause undue delay to fixing
the problem (especially close to a release, as now).

If upstream are busy with other things, solve the problem yourself and
make the upload - ask the security team for help with that side if you
are unsure.

Solve the problem - if upstream come back to you with a different fix
later, you can always migrate to that fix.


Neil Williams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: