* Petter Reinholdtsen: > The count of open security issues in stable and oldstable is probably > a better measuring meter, and it does not look too good.
Security support is a task for Debian as a whole, not just the security team. IMHO, the main role of the security team is information sharing, risk assessment, and quality assurance for security updates. The team should act as a trusted point of contact, forward information from external sources to the relevant developers (in many cases this is possible, even if the information is considered sensitive), and respond to security-related questions, both from inside the project and external entities. The team should have the final say in what can go into the archive as a security update, after it has weighed the security threat against the general risk of any change to the stable distribution. It's also necessary for the team to review all security updates, to deal with the Single Point of Ownership problem. Even if all Debian developers are trustworthy, some of their machines might be compromised, or they simply make mistakes. The security has access to the privileged information which might be helpful while preparing security updates, true, but in most cases, after the issue has been disclosed to some extent (because upstream has issued an update, for example), their head start is gone. Nevertheless, there seems a general tendency among Debian developers that security updates for stable are the job of the security team. In my eyes, this is the root of the problem. The security team shouldn't spend their time on package maintenance, that's what maintainers are for. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
