On Fri, Oct 28, 2005 at 10:16:03AM -0500, John Goerzen wrote: > On Fri, Oct 28, 2005 at 04:42:31PM +0200, Piotr Roszatycki wrote: > > Why my report was ignored? I've reported the problem 3 days ago and I had no > > reply. > > This seems to be a very frequent problem going on for awhile now. > > Could someone from the security team comment on what the problem is? The problem is that we receive a lot of reports, each of which may involve a significant amount of time to attend to. New entries are pushed onto the stack almost daily. Whilst some are simple and can be dealt with easily some are more complex and obviously we cannot disclose them publically. If it is useful I could begin sending out a form response, something like "Yes we recieved your report, yes we will fix it, please have patience". However a useful response such as "Yes we've got your package report and we'll update an advisory after we've done openssh, mozilla, the kernel." is not going to happen. Even estimating an advisory date is going to be non-trivial. (NOTE: Package names above are chosen at random ...) Sometimes an issue will be responded to, fixed, and uploaded all in the same day. Sometimes it takes longer to: * Confirm the problme. * Produce a patch. * Communicate with the package maintainer to discover when the Sid version will be tested. * Communicate with other Linux distributions to make sure that the package can be updated by multiple distributions in a coordinated fashion. * Communicate with the upstream developers to let them know, if they don't so far. * Allocate and assign a unique ID for the issue. The best thing that you can do when reporting problems is: a) Be detailed. b) Ideally have a patch, or a pointer to one. c) Be patient. d) Don't file reports which are already in the BTS. e) Be patient. f) Be patient. All reports are read and responded to *in time*. Be patient. None of this is news. Steve --
Attachment:
signature.asc
Description: Digital signature