On Mon, 29 Aug 2005, Paul Gear wrote:
> > if it's important... they will post dsa ?? > > There certainly have been exceptions to that rule. The maintainer of there will always be exceptions ... > shorewall has been trying for weeks to get a DSA issued about a > vulnerability, and it seems we have to convince Joey that it *is* a > vulnerability before he'll issue it. (I don't understand this - how can > Joey even *try* to understand every security bug?) Repeated attempts to > communicate this have been met with silence. if the originating authors thought xx was a security problem, they'd fix it i doubt security problems is fixed by 3rd parties and released as patches to the original w/o saying it is a 3rd party patch vs fixed at the originating source joey and crew can't possibly examine, review, fix, verify all bugs no matter how good of an expert security coder they were ---- "(security) bug fix day" is a good way to get the team together to address bug reports and verify/fix/confirm it ---- if "debian" didn't fix "xxx" to the degree needed, most other people have created their own distro to address those issue instead of "pointing fingers" with the expectations of: "please fix this for me" ---- we apply my own patches and methodoloy above/on-top of what debian offers to keep things up to parr with our "sanity requirement levels" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
