Re: Bad press again...
On Mon, 29 Aug 2005, Paul Gear wrote:
> > if it's important... they will post dsa ??
>
> There certainly have been exceptions to that rule. The maintainer of
there will always be exceptions ...
> shorewall has been trying for weeks to get a DSA issued about a
> vulnerability, and it seems we have to convince Joey that it *is* a
> vulnerability before he'll issue it. (I don't understand this - how can
> Joey even *try* to understand every security bug?) Repeated attempts to
> communicate this have been met with silence.
if the originating authors thought xx was a security problem,
they'd fix it
i doubt security problems is fixed by 3rd parties and released as
patches to the original w/o saying it is a 3rd party patch vs
fixed at the originating source
joey and crew can't possibly examine, review, fix, verify all bugs
no matter how good of an expert security coder they were
----
"(security) bug fix day" is a good way to get the team together to address
bug reports and verify/fix/confirm it
----
if "debian" didn't fix "xxx" to the degree needed, most other people
have created their own distro to address those issue instead
of "pointing fingers" with the expectations of: "please fix this for me"
----
we apply my own patches and methodoloy above/on-top of what debian offers
to keep things up to parr with our "sanity requirement levels"
c ya
alvin
Reply to: