In gmane.linux.debian.devel.security, you wrote: >>Part of the problem with security updates has to do with the fact that >>it's just difficult to coordinate the work. Even when Wichert, mdz, and >>others were more active, Joey still did most of the work because it was >>often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done.
Have a look at the system we use for the testing security team (I always thought it originated in the security team): http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html This system is so efficient that most communication is basically made through svn log messages. A similar way would be very nice for stable security support as well. The whole embargo thing about stable security is overrated anyway; as far as I can see it for May and June only mailutils, qpopper and ppxp were embargoed, so that they hadn't been publicly known when the DSA was published (and even for mailutils and qpopper there was a small time frame of 1-2 days between first vendor fix and the DSA). The majority of all issues could be handled a lot more transparent, IMO. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
