also sprach Florian Weimer <fw@deneb.enyo.de> [2005.08.27.1107 +0200]: > > Do we have a security team for stable? I know, that we have a > > security team for testing consisting of nine DDs and ten > > non-DDs, but it seems to me, that stable is handled by Joey > > alone. Has this changed since the havoc a few months ago? > > I don't think so. Joey seems to be satisfied with this situation, How would you know? And I don't think the question is whether Joey is satisfied, it's more whether our users are satisfied, and that includes all of us. > and apart from unanswered email messages to <security@debian.org>, > there are few complaints, AFAIK. That's because complaints don't actually have any result, so I, for instance, have stopped. I've pointed to severe problems with Debian stable security several times before and usually got around 30 private messages a day thanking me for raising these issues and for staying on track. I don't think Joey found it necessary just a single time to articulate a position on the issue of e.g. the three week outage in the security team throughout June. The final announcement that was sent was not authored by Joey, but by other DDs who were similarly concerned. Now we've had another issue of problems with s.d.o, but we had to learn about them from Heise. Following the debate around LinuxTag, Branden put a trusted and very active and skilled developer on the task to research the security problems. Unfortunately, he has not been able to get far with this job yet, probably due to numerous reasons. If Branden reads this (and he should as it's CC'd), I hope he does something about the situation, not by putting pressure on the researcher, but by actually causing some change. > The email part is very unfortunate indeed, but it probably doesn't > warrant drastic measures. Not if we want Debian to become known as an amateur club and lose value among professionals. And yeah, client switching to Solaris may tell something about their understanding of security... but then isn't it all the more important for Debian to get it right and help protect those that don't know better? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! will kill for oil!
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)