[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: replacing misleading debian.org/security claims

Hi Max -

(First time poster (?Maybe) / long time lurker).

I think highlighting that Debian is supported by volunteers is important and providing up front a link to tracker is outstanding. The "we take security seriously" text is dated consistent with standard boiler-plate text.

I'd also like to see information on both how to submit vulnerabilities as well as how to contribute to getting them fixed.


On 12/28/21 1:46 PM, max wrote:
Some statements on debian.org/security are inaccurate, and many people are misled by them.

I propose replacing

Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.

with something more factual, like

Debian's security updates are created by volunteers working in their spare time. Some packages may receive more attention than others. To view the current list of known unfixed vulnerabilities see https://security-tracker.debian.org/tracker/status/release/stable

(Side note: It seems that NVD tends to assign "medium" severity to vulnerabilities initially, but upgrades them to "high" or "critical" later. However, Debian keeps showing the initial severity rating)

Silas Cutler (Silas@BlackLab.io)
PGP Fingerprint (598A 812E FB8C BA19 69A5 D17A C14D A520 A02E 8CD6)

Attachment: OpenPGP_0xC14DA520A02E8CD6.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: