Re: Proposal/suggestion for security team w.r.t. published vulerabilities
On Tue, Jul 06, 2004 at 10:39:09PM +0200, Bernd Eckenfels wrote:
> In article <20040706191318.GM9109@A-Eskwadraat.nl> you wrote:
> > mdz told me this isn't done for practical reasons: the BTS isn't very
> > suitable for tracking which versions are affected, and a sid upload can
> > close such a bug while it's still in woody. While I think it'd still be
> > possible without too much hassle, if they don't want to do so, I'm not
> > going to interfere in that.
> Well, I guess anybody is free to open bugs against packages if they hear
> about vulnerabilities. I guess this even might help in some cases. But I
> dont think security team can "publish" received vendor alerts before going
> public date. Effectively this is "hiding", but on the other hand it is also
> respecting the wishes and requests of others. And not honoring them will
> quickly lead to debian beeing cut-off from those alerts. So thats why
> unpublished alerts are not posted.
I'm only talking about published issues, of course, unpublished ones
shouldn't go into the BTS.
Having the security team file bugs for _published_ issues, will make
part of the work of the security team, managing which vulernabilities
exist and apply to woody, and aren't fixed yet, also available to
non-security team members, who then can possibly more effectively help on
security issues. I'll post a list of a few of such issues here later
tonight, that are exactly issues that could have been filed in the BTS.
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)