[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote:

> Have a look at the system we use for the testing security team (I always
> thought it originated in the security team):
> http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html
> This system is so efficient that most communication is basically made
> through svn log messages.
> A similar way would be very nice for stable security support as well.

Interesting; I didn't know about this.  I suggested to Joey Hess that stable
and testing security work should be done by a single security team; one of
the benefits of this would be convergence on better tools.

> The whole embargo thing about stable security is overrated anyway; as far
> as I can see it for May and June only mailutils, qpopper and ppxp were
> embargoed, so that they hadn't been publicly known when the DSA was
> published (and even for mailutils and qpopper there was a small time frame
> of 1-2 days between first vendor fix and the DSA).  The majority of all
> issues could be handled a lot more transparent, IMO.

Yes, non-embargoed issues could be handled more transparently.  The best way
to deal with non-embargoed issues, of course, is for the package maintainer
to prepare an update and send it to the security team.

 - mdz

Reply to: