Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:05:34PM +0000, Tim Haynes wrote:
> Adam Warner <lists@consulting.net.nz> writes:
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment
> > on the claim that "Debian is always the last to fix security holes"
> > and the tag team follow up "I've been fighting for months now to try
> > to convince them to release an advisory or fix for ftpd..."
> Some of us wouldn't dare say such things without at least reviewing
> the given distro's security policy, FAQ and history.
> <http://www.debian.org/security/> is over there ---> .
Indeed. My only experience with trying to get an exploitable package
patched was rather disappointing though.
I believe (not being a Debian developer myself) that security@debian.org
goes to debian-private which is only available to developers. It then
requires the developer of the package you're reporting about to be awake
enough to /do/ something about the bug you are reporting.
I had problems with apache whose old maintainer didn't really seem to
care (bug 104187 for the gory details)
So perhaps Debian security is only as good as the package maintainers?
I'm sure most maintainers do care and do investigate bugs I probably
just had a bad experience.
--
----------( "Have you seen a man who's lost his luggage?" )----------
Simon ----( -- Suitcase )---- Nomis
Htag.pl 0.0.19
Reply to: