Hi, As I promised in [1], a suggestion for the Debian security team.
Since the security team is generally very busy sorting out any kind of vulnerability, sometimes fixes can take a little bit longer than usual, especially if the impact is relatively low. Taking the Social Contracts 'We will not hide problems', and those vulerabilities that have already been made public, I think it'd be a good idea if the security team, once a vulnerability is already made public, for example via a Bugtraq or something, or some other vendor/upstream announced it, files a bug (tag woody usually I guess) in the BTS about it. There is no longer reason to hide the problem, i.e., keep it away from the BTS once it is published. This also enables other people to 1) see there is a security defect in that package in woody 2) help solving it by adding patches, so the security team only has to check the patches As an example, take CAN-2004-0519, CAN-2004-0520 and CAN-2004-0521, all three not yet solved in woody, but also not filed in the BTS (hm, two of them directly refer to a patch[2][3] solving it...). Therefore, I'd like to ask the security team to file grave bugs with security+woody on packages for which a vulnerability has been made public, and a security announcement isn't nearly-ready. I can't imagine this would interfere too much with the issue tracker or whatever the security team internally uses to track issues. Or is there some reason filing bugs like I described here isn't wanted? --Jeroen [1] http://lists.debian.org/debian-security/2004/07/msg00030.html [2] http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108532891231712 [3] http://marc.theaimsgroup.com/?l=squirrelmail-cvs&m=108309375029888 -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
