Re: eglibc update for GHOST CVE-2015-0235
Hi Thijs,
On Wed, 28 Jan 2015, Thijs Kinkhorst wrote:
> It seems at least from my perspective that the LTS team is a loosely
> defined consortium of individuals which makes sharing the embargoed
> information problematic. If I have an embargoed issue I think there's
> usually no problem sharing that information privately with LTS'ers, but
> right now there's no clear contact point for that.
>
> Nor do I have a good understanding of who is working on LTS. People are
> hired by the hour, so if I send something to someone personally now it may
> just be that they're not working on LTS this week. There's not really a
> defined "team" that I could find.
FWIW, concerning "paid contributors", we do have an alias pointing to all
the people listed in
http://www.freexian.com/services/debian-lts-details.html#who
FTR it's deblts-team _AT_ freexian.com. But I also believe that
this should not become an official contact point of the LTS team
for embargoed issues.
Maybe you could setup lts@security.debian.org alias pointing
to whoever from the LTS team is willing to handle embargoed issues?
Looks like Holger is interested. I am interested too. And I expect
Thorsten Altenholz to also be interested.
> Subscription to distros list is per individual and we can certainly
> nominate people for that, but I think it also depends on a clear
> definition of which DD('s) that would be.
I don't know how you handle embargoed issues in the security team
and if such a subscription is required to be able to prepare security
updates, or if you expect to share enough information with
the new private LTS contact point.
Anyway, I would be OK to be subscribed there too.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: