Hello,
The similar thread has appeared before, but no conclusion was reached.
I suggest that two more types of security advisories are being issued by
Debian Security team:
1) "Alert - fix pending" type -- issued immediatly after info about a
security error is public. Such an advisory would contain description of
the problem and temporary ways how to protect a system before a proper
fix is done by the security team. This alert should be send as soon as
the problem is known and before the security team starts working on a
patch and a security release. Protection ways could include disabling a
service, blocking ports or other hack-like temporary workarounds. These
advisories could have a minor number of "0", like '123-0'.
2) "Ok - not voulnerable" type -- issued when it is clear that a widely
distributed security error is found not applying to Debian. We could
narrow the area on security errors that affect either RedHat, Mandrake,
SuSe or Slackware. The advisory could also state why the error doesn't
affect Debian.
Both of these fix one important problem - sometimes looking at the any
global list of security advisories of multiple distribution one sees a
error that has advisories from other distros, but doesn't have a Debian
advisory. In this case it is not clear, if the error applies to Debian,
if it is being worked on and for how long.
It is also makes a lot easier to find a way of securing one's system
until a proper fix is ready, which can be cruisal in some situations.
And, of course, any of these will improve Debian's image as a distro
that is close to it's users.
--
Best regards,
Aigars Mahinovs mailto:aigarius@debian.org
#--------------------------------------------------------------#
| .''`. |
| : :' : Debian GNU/Linux & LAKA |
| `. `' http://www.debian.org http://www.laka.lv |
| `- |
#--------------------------------------------------------------#
Attachment:
pgpDM0cAzq0HP.pgp
Description: PGP signature