On Tue, Jul 06, 2004 at 10:39:09PM +0200, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > mdz told me this isn't done for practical reasons: the BTS isn't very > > suitable for tracking which versions are affected, and a sid upload can > > close such a bug while it's still in woody. While I think it'd still be > > possible without too much hassle, if they don't want to do so, I'm not > > going to interfere in that. > > Well, I guess anybody is free to open bugs against packages if they hear > about vulnerabilities. I guess this even might help in some cases. But I > dont think security team can "publish" received vendor alerts before going > public date. Effectively this is "hiding", but on the other hand it is also > respecting the wishes and requests of others. And not honoring them will > quickly lead to debian beeing cut-off from those alerts. So thats why > unpublished alerts are not posted.
I'm only talking about published issues, of course, unpublished ones shouldn't go into the BTS. Having the security team file bugs for _published_ issues, will make part of the work of the security team, managing which vulernabilities exist and apply to woody, and aren't fixed yet, also available to non-security team members, who then can possibly more effectively help on security issues. I'll post a list of a few of such issues here later tonight, that are exactly issues that could have been filed in the BTS. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
