Re: Proposal/suggestion for security team w.r.t. published vulerabilities
On Tue, Jul 06, 2004 at 09:13:18PM +0200, Jeroen van Wolffelaar wrote:
> On Tue, Jul 06, 2004 at 03:08:38PM -0400, Michael Stone wrote:
> > On Tue, Jul 06, 2004 at 08:06:36PM +0200, Jeroen van Wolffelaar wrote:
> > >As an example, take CAN-2004-0519, CAN-2004-0520 and CAN-2004-0521, all
> > >three not yet solved in woody, but also not filed in the BTS (hm, two of
> > >them directly refer to a patch solving it...).
> > Go ahead and file the bug.
> mdz told me this isn't done for practical reasons: the BTS isn't very
> suitable for tracking which versions are affected, and a sid upload can
> close such a bug while it's still in woody. While I think it'd still be
> possible without too much hassle, if they don't want to do so, I'm not
> going to interfere in that.
> For those two bugs, I'm simply mailing the security team myself, maybe
> also file a bug, don't know yet.
You are free to file a bug, and sometimes this helps to get a response from
the maintainer; just note that these bugs will generally not be used by the
security team for tracking the status of the vulnerabilities.