Re: Bad press again...

[Florian Weimer <fw@deneb.enyo.de>]

* Paul Gear:

> If we're going to have another crack at it, then, what track should we
> take?  Reopen the bug as Florian suggested,

According to a recent discussion on -devel, this bug is still open.
The BTS web is a bit confusing.

> email the security team, just keep pestering Joey?

IMHO, the first step would be to convince the shorewall maintainer
that a security update for stable needed. [*] Then someone needs to
prepare an update (preferably the maintainer or someone else who is
familiar with the software).  This is slightly complicated by the
unfortunate fact that the patch in the errate of 2.2.5 does not apply
cleanly to the 2.2.3 version.

> I didn't mean to stir up so much crap about this problem.  I just want
> to see both Debian and Shorewall succeed, and it seems to me that there
> are some organisational problems with Debian when it comes to security.
>  I want to make sure that we (the upstream team and the maintainer) are
> not the cause of them.

Yes, and this is a relatively simple issue and is a good testing
ground.


[*] In the meantime, I've seen upstream's reaction to this bug, and it
makes clear that this is not a mere documentation issue.