* Moritz Muehlenhoff: > - The developer's reference entry wrt handling security bugs should > be updated/extended, it's currently too terse and lacks important > information.
One big problem is that it gives developers the impression that *all* security fixes should be sent privately to the security team, and not the BTS, even if the issue is already publicly known. > - The tracking page should be generated for sid as well, it seems to me > that security bugs in packages not in testing are currently vanishing > from our radar. <http://idssi.enyo.de/tracker/status/release/unstable> It should be pretty accurate, perhaps more than the corresponding page for testing. > - There has been an offer by a company for their proprietary solution of > doing static analysis on binaries. There were some organisational hurdles > IIRC, should we come back to them? Was it BugScan by chance? They are gone. > - Packages, which have been removed from testing by the RMs due to security > bugs should be handled separately, they might get lost from our radar, This can be dealt with with tsck, but you need server-side support for that. (Not too hard to implement based on the database, especially if the release tags I suggested are added to the list files.) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
