Re: security@debian.org
On Thu, Jun 03, 2004 at 02:42:59AM +0200, Florian Weimer wrote:
> Has security@debian.org been directed away from debian-private? It's
> probably a good move. In the past, the old setup resulted in some
> confusion because submitters usually do not expect that security@ is read
> by all people in the organization. 8-)
Yes, see Steve's reply. This was done for exactly that reason.
> Does this mean that security vulnerabilities are no longer to be discussed
> on debian-private (which seems to have happened accidentally in the past)?
I don't see any reason why it should be forbidden; if it is important for
some reason that a large number of Debian developers be informed about a
vulnerability, then that could happen via debian-private.
In general, though, discussions about vulnerabilities take place between the
package maintainer, upstream and the security team.
--
- mdz
Reply to: