[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why is Debian not telling the truth about its security fixes?

January 22, 2022 3:51:28 PM CET "Andrew M.A. Cater" <amacater@einval.com> wrote:

> Debian does fix security problems 

The question is when: 0 days or 6 months after the CVE announcement? I mean, if you need 6 months, that's fine. Just don't claim that you do it in 0 days. That's dishonest. Does this make sense?

> Debian can feel free to set its own ratings 

But you can't call them "NVD severity", because NVD refers to the National Vulnerability Database. They do their own analysis of vulnerabilities, that some people find trustworthy. You can't just make up your own numbers and claim that they are the NVD ratings. That name is taken.

> You use the term falsehood - as if [all of] Debian were consistently lying to all its users. 

Debian is an organization. It's publishing certain statements on its web site that are false. How the misdeeds of an organization are shared among its members is an interesting philosophical question, but I don't believe I opined on it.


-- 
Sent with https://mailfence.com  
Secure and private email
Reply to: