On Fri, 2018-06-08 at 20:12 +0200, Sylvain wrote:
> Hi,
> 
> On 08/06/2018 19:55, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2018-06-06 at 19:54 +0200, b...@debian.org wrote:
> > > Please consider this update to freedink-dfarc for stretch.
> > > It fixes a security issue that can overwrite arbitrary user
> > > files.
> > > Sending to stable following security team's directions from 2018-
> > > 06-
> > > 01.
> > 
> > +freedink-dfarc (3.12-1+deb9u1) stable; urgency=high
> > 
> > Please use "stretch" as the distribution.
> > 
> > +  * Fix directory traversal in D-Mod extractor (CVE-2018-0496)
> > +  * Upload to 'stable' as security team rejected a DSA to
> > +    'stretch-security' (no justification)
> > 
> > The changelog is not the place for such commentary - please remove
> > it.
> > 
> > With the above changes made, and assuming that the resulting
> > package
> > has been tested on stretch, please feel free to upload.
> 
> As per Social Contract #3 I do have to explain to my users why they
> get the security fix after the disclosure.
> 

As with basically all core teams, Debian's security team is generally
stretched in terms of manpower and can't handle every possible update
that's security-related. Things have to be prioritised and sometimes
those updates end up being provided via proposed-updates. That's always
going to be the case in a volunteer project, and even larger and/or
commercially-backed projects will still have to decide which updates
they handle before others. This isn't a problem as such, just the way
things are.

(There's an argument that co-ordinated disclosure is in fact hiding
issues in and of itself. I don't particularly subscribe to that, nor do
I believe that any of this is what SC3 is actually trying to ensure.)

> This is not a commentary, this is purely factual.

It's not a description of a change made to the package, nor information
that users need in order to decide whether they should be installing
it. As such, it is commentary. That has nothing to do with its  
factuality or otherwise.

Regards,

Adam

Reply via email to