Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann:
> I do not want to rude in any way- please try to excuse my way of
> putting things, but does anybody have a prediction how probable it
> is for such a thing to happen again?
Delays in the order of weeks are pretty standard, and not always they
are caused by embargoes. It's a bit unfortunate that the "48 hours"
claim is still on the web page.
> Is there a role/function in debian that is responsible for reviewing
> bugtraq or similiar sources, and is ensured that this role is fulfilled
> every day?
Not very formalized, but we have several persons doing public
monitoring. They file bug reports in Debian's Bug Tracking System when
they encounter public reports of security bugs.
For the most exposed packages you use, you should subscribe to the
package-specific email feed which is provided by the Package Tracking
Usually, security bugs reported publicly are filed on the same day in
the Debian BTS, especially if the package has quite a few users.
The DSA will be released when a security update for the stable
distribute is available. As you've noticed, there can be quite some