On Wed, Jul 07, 2004 at 01:17:01PM +0200, Jeroen van Wolffelaar wrote: > On Wed, Jul 07, 2004 at 02:49:54AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > > Why does the security team have to do this? Anybody can do it. > > Not without spending lots of time crawling through security lists, > CAN/CVE's, bugtraq, verifying whether debian has the offending version, etc.
How do you think the security team does it? We do not have a magic filter which shows us only issues which affect Debian stable; this is all done by hand. It is helpful if users spend the time collecting information about a vulnerability and forward a complete report to the Security Team with everything they need. This section in the Developer's Reference: http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security describes what information should be provided about a vulnerability. Note that, as the FAQ says, it is not helpful to simply forward a message from BUGTRAQ or full-disclosure, because we already receive those. However, if you are able to track down additional information, such as confirming the vulnerability in stable and finding an appropriate patch, that _is_ helpful. Since we are talking about publicly-known vulnerabilities, those wishing to help out should feel free to CC their communications with the security team to this (debian-security) mailing list, so that others do not duplicate their work, and can see the status of the issue. > Well, since usually the maintainer is informed about such an issue, the > maintainer _can_ submit such a bugreport when the issue is public. Maybe > that is a better solution then, but yet, one depends on the maintainer in > that case. Debian has a lot of MIA maintainers; if the maintainer is active, in touch with upstream, and willing to help the security team, security problems with the package in stable don't stagnate. It is the stagnant issues that generally need help, because the maintainer, upstream or both are not responsive. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]