Re: Proposal/suggestion for security team w.r.t. published vulerabilities
In article <20040706191318.GM9109@A-Eskwadraat.nl> you wrote:
> mdz told me this isn't done for practical reasons: the BTS isn't very
> suitable for tracking which versions are affected, and a sid upload can
> close such a bug while it's still in woody. While I think it'd still be
> possible without too much hassle, if they don't want to do so, I'm not
> going to interfere in that.
Well, I guess anybody is free to open bugs against packages if they hear
about vulnerabilities. I guess this even might help in some cases. But I
dont think security team can "publish" received vendor alerts before going
public date. Effectively this is "hiding", but on the other hand it is also
respecting the wishes and requests of others. And not honoring them will
quickly lead to debian beeing cut-off from those alerts. So thats why
unpublished alerts are not posted.
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/