Re: eglibc update for GHOST CVE-2015-0235
On Wed, January 28, 2015 11:29, Lucas Nussbaum wrote:
> Yes, I was wondering how we could improve on the current status for the
> handling of medium/high-severity issues, and I'm interested in the
> Debian security team's opinion about that.
> Should the Debian LTS team apply to join the linux-distros list as a
> separate entity? Wouldn't the fact that 'Debian LTS team' is not as
> strictly defined in terms of membership as e.g. 'Debian security team'
> be a problem?
> Should people interested in LTS join the Debian security team, to focus
> more specifically on preparing LTS updates for embargoed issues (without
> sharing them with the rest of the LTS team, which would break the
> embargo)? How would that be welcomed by the Debian security team?
It seems at least from my perspective that the LTS team is a loosely
defined consortium of individuals which makes sharing the embargoed
information problematic. If I have an embargoed issue I think there's
usually no problem sharing that information privately with LTS'ers, but
right now there's no clear contact point for that.
Nor do I have a good understanding of who is working on LTS. People are
hired by the hour, so if I send something to someone personally now it may
just be that they're not working on LTS this week. There's not really a
defined "team" that I could find.
I would start with creating such a contact point, and make it clear who's
behind it. That makes sharing this information much more straightforward.
Subscription to distros list is per individual and we can certainly
nominate people for that, but I think it also depends on a clear
definition of which DD('s) that would be.