Re: What's going on with advisory for phpmyadmin?

[Florian Weimer <fw@deneb.enyo.de>]

* Steve Kemp:

>   However a useful response such as "Yes we've got your package report
>  and we'll update an advisory after we've done openssh, mozilla, the
>  kernel." is not going to happen.

The web pages state that you aim for a fix within 48 hours.  Maybe
this sentence should be removed?  See the patch below.

Please note that I don't think this is the fault of the security team.
Debian has grown since this promise, and the complexity of the
distribution has increased significantly.  Another indicator is that
since the release of sarge, a CVE-worthy vulnerability has been fixed
every 20 hours.  I don't think any other software vendor currently
matches that pace.

Index: index.wml
===================================================================
RCS file: /cvs/webwml/webwml/english/security/index.wml,v
retrieving revision 1.77
diff -u -u -r1.77 index.wml
--- index.wml   17 Oct 2005 21:54:18 -0000      1.77
+++ index.wml   28 Oct 2005 15:40:46 -0000
@@ -2,8 +2,7 @@
 #use wml::debian::recent_list
 #include "$(ENGLISHDIR)/releases/info"
 
-<P>Debian takes security very seriously. Most security problems brought
-to our attention are corrected within 48 hours.</P>
+<P>Debian takes security very seriously.</P>
 
 <P>Experience has shown that "security through obscurity" does not work. Public
 disclosure allows for more rapid and better solutions to security problems.  In