Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote:
> Have a look at the system we use for the testing security team (I always
> thought it originated in the security team):
> This system is so efficient that most communication is basically made
> through svn log messages.
> A similar way would be very nice for stable security support as well.
Interesting; I didn't know about this. I suggested to Joey Hess that stable
and testing security work should be done by a single security team; one of
the benefits of this would be convergence on better tools.
> The whole embargo thing about stable security is overrated anyway; as far
> as I can see it for May and June only mailutils, qpopper and ppxp were
> embargoed, so that they hadn't been publicly known when the DSA was
> published (and even for mailutils and qpopper there was a small time frame
> of 1-2 days between first vendor fix and the DSA). The majority of all
> issues could be handled a lot more transparent, IMO.
Yes, non-embargoed issues could be handled more transparently. The best way
to deal with non-embargoed issues, of course, is for the package maintainer
to prepare an update and send it to the security team.