On freed 17 April 2009, Kees Cook wrote: > For embargoed issues, this is supposed to happen already, by way of > vendor-sec. Who all from Debian is on that list, and what are the policies > and procedures you have in place for contacting maintainers? The Security Team is on that list. We do contact maintainers when there's an issue affecting their packages. With udev that went wrong, probably because we had a reduced number of active people due to various VACs. > One idea we'd had was to send email to the Debian > maintainer for stuff we've ranked as "High" or "Critical", with something > like "there's an embargoed issue with $pkg, please make sure you get > details from the Debian security team." I'm not sure if this is a good idea, since some "maintainers" are actually public mailing lists. cheers, Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part.