Re: Debian Security Support in Place

To: debian-security@lists.debian.org
Subject: Re: Debian Security Support in Place
From: Jan Lühr <jluehr@gmx.net>
Date: Sat, 9 Jul 2005 10:51:11 +0200
Message-id: <[🔎] 200507091051.12131.jluehr@gmx.net>
In-reply-to: <20050708055840.GP9098@finlandia.infodrom.north.de>
References: <20050708055840.GP9098@finlandia.infodrom.north.de>

(open letter to the debian security team)
Greetings,..

on friday, 8th july 2005 07:58 Martin Schulze wrote:

[...]
> The Debian project confirms that the security infrastructure for both
> the current release Debian GNU/Linux 3.1 (alias sarge) and the former
> release 3.0 (alias woody) is working again.  The security team is now
> able to provide updates on a regular basis again.
[...]
> There were several issues with the security infrastructure after the
> release of sarge, that lead to the Debian security team being unable
> to issue updates to vulnerable packages.  These issues have been fully
> resolved, and the infrastructure is working correctly again.

Nice to hear, thanks to all. You obviously spent a lot of time and efforts in 
restoring  debian security. Thanks.

But maybe, some rather constructive critism is required as well- and
ehm, well, to be honest, imho this is not satisfying:

It has never been official announced, that the security infrastructure is not 
working. It is quite confusing, that you report the end of problems you 
haven't reported at first, furthermore if the end of this problem justifies 
an official debian announce, the beginning of this problem should have been 
announced to.
Knowing a security problem is imho probably more important than knowing not 
having a problem, because, a security problem requires defensive actions.

Another point is the explanation.
"several issues with the security infrastructure" can probably mean anything. 
From failing power supplying units up to conflicts within the security team.
By that the explanation is not satisfying, too.

There has been a few rumours in joey's blog, but anyway, I'm missing official 
statements / announces, why this had happend (technically and 
non-technically) how it was solved, and how it is prevent in the future - and 
I guess,  others are missing 'em as well.

Looking back to the break-in 2003, this issue was handled very good and 
transparent. Imho this was a good example how things can be handled -
thus going on that way ought to be quite better.

Thanks for your patience,
Keep smiling
yanosz

Reply to:

Prev by Date: Re: Debian Security Support in Place
Next by Date: Re: Debian Security Support in Place
Previous by thread: Re: Debian Security Support in Place
Next by thread: unsubscribe
Index(es):
- Date
- Thread