G'day, I'm writing this to express my frustration at the slowness Debian seems to be afflicted with when it comes to letting people know about our security vulnerabilities and fixes. We seem to be able to find, fix and upload fixed packages quite quickly, however we are usually the last to let others know that they should upgrade to the new packages, making our users unnecessarily vulnerable. Take the LPRng syslog() bug for example. I've just had to email CERT myself because there is no advisory. If it is my responsibility to write these things, then it should be clearly stated for all developers somewhere. If it is not, then it should be clearly stated what I am supposed to do to make it happen. This fix was mid-October, it is now mid-January. Taking 3 months to write something up is clearly not acceptable and something needs to be done to correct it. I'm sick of seeing emails saying basically a user thought we were vulnerable until they accidently stumbled upon some obscure email somewhere. We are not doing the project or our users justice with these delays. - Craig -- Craig Small VK2XLZ GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5 Eye-Net Consulting http://www.eye-net.com.au/ <csmall@eye-net.com.au> MIEEE <csmall@ieee.org> Debian developer <csmall@debian.org>
Attachment:
pgpxOVvnv6cph.pgp
Description: PGP signature