Hi Guido & LTS/Security folks,

Thanks very much for publishing this summary.  Since I was not able to
participate in person I would like add a few thoughts.  See my comments
below inline.

On Wed, Aug 09, 2017 at 12:17:36AM -0300, Guido Günther wrote:
> 
> * BTS is the canonical place for communication about the bug so the idea
>   is to change bin/contact-maintainer to use the BTS this would avoid
>   double communication from security and lts team (and maybe also avoid
>   the maintainers from feeling pushed like we had in the past). Are
>   there any objections?
>       
I think this is an excellent idea.

> * D{S,L}A texts are hand written. Copying texts from other distros,
>   websites might be problematic due to license so better rewrite from
>   scratch (which largely rules out further automation). The CVE number
>   links to all the details so the type of severity (and attribution if
>   found) is enough, the rest can be found by interested people on the
>   web.
> 
> * license of CVE text is unclear -> Moritz rewrites from scratch
>   - generic description of the issue instead of details of functions
> 
Is it still OK to use verbatim text from a DSA in a DLA?  It seems like
that should be OK, and it is something I do sometimes, as the DSAs are
frequently published first and I feel like sharing the same summary text
regarding a particular vulnerability keeps everything consistent.

-- 
Roberto C. Sánchez

Reply via email to