Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote:
> This would be very convenient- but the delay that seems to have passed
> between the original squirrelmail security announcement and the time I
> received the alert via email@example.com is worrying:
> The Vulnerability seems to have been described a few weeks ago:
> The Debian Security Advisory 756-1 is dated July 13th, 2005.
This has been discussed already in the archives, you should probably
refer to those rather than reviving the subject.
eg the following three threads:
> I do not want to rude in any way- please try to excuse my way of putting
> things, but does anybody have a prediction how probable it is for such a
> thing to happen again?
It's unknown whether the build infrastructure problems will recur,
machines do die so it's possible. The communication problems leading
to various misunderstandings I hope will be less likely to reoccur.
> Is there a role/function in debian that is responsible for reviewing
> bugtraq or similiar sources, and is ensured that this role is fulfilled
> every day?
The security team do follow bugtraq, etc. Filing bugs with patches
is a useful thing to do - but forwarding a message that has been posted
publically already is perhaps less useful. It's not like there's not
enough spam mail sent to firstname.lastname@example.org already ;)
> Or will there be other measures in place to see that security issues are
> noticed quickly for all packages- even for strange tools that
> are not used by normal unix-centered developers?
I'm unsure exactly what you are suggesting about less popular tools.
Sure if five issues need fixing simultaneously the "less used" is
liable to suffer if there's a more important bug.
Still even less popular tools are supported, all packages should
receive updates eventually.
# The Debian Security Audit Project.