* Steve Kemp: > However a useful response such as "Yes we've got your package report > and we'll update an advisory after we've done openssh, mozilla, the > kernel." is not going to happen.
The web pages state that you aim for a fix within 48 hours. Maybe this sentence should be removed? See the patch below. Please note that I don't think this is the fault of the security team. Debian has grown since this promise, and the complexity of the distribution has increased significantly. Another indicator is that since the release of sarge, a CVE-worthy vulnerability has been fixed every 20 hours. I don't think any other software vendor currently matches that pace. Index: index.wml =================================================================== RCS file: /cvs/webwml/webwml/english/security/index.wml,v retrieving revision 1.77 diff -u -u -r1.77 index.wml --- index.wml 17 Oct 2005 21:54:18 -0000 1.77 +++ index.wml 28 Oct 2005 15:40:46 -0000 @@ -2,8 +2,7 @@ #use wml::debian::recent_list #include "$(ENGLISHDIR)/releases/info" -<P>Debian takes security very seriously. Most security problems brought -to our attention are corrected within 48 hours.</P> +<P>Debian takes security very seriously.</P> <P>Experience has shown that "security through obscurity" does not work. Public disclosure allows for more rapid and better solutions to security problems. In -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
