On Sat, Jul 10, 2004 at 12:29:11PM +0200, Florian Weimer wrote: > * Adrian von Bidder: > > > I think Jeroen is thinking about security problems the security team > > already knows about but has not yet had time to handle (and which have > > already been made public somewhere else.) Stupid if somebody has to > > search the sources *again* if the security team already has the > > information. > > Actually, it's rather time-consuming to determine if a security > vulnerability has been published. You have to discover the > publication, and then you have to decide whether it's actually the > same issue and if it's been disclosed completely.
The first thing that is being done when a security issue gets to the security team, is assign a CAN-number after it's verified. CAN entries are either simply 'reserved' and hidden for the general public, at some time, the content is set open for the public. I guess/assume that opening up is mailed to the security team in some way, or otherwise noticed. Then sending a mail to [EMAIL PROTECTED] with a cut&paste (yank & put) of the CAN/CVE description shouldn't be that much effort. But, this all IMHO, and it is still a wishlist request. > Filing bug reports about public issues is something any DD or user can > do. I don't think this should be added to the duties of the security > team. I'd appreciate if they commented on new security bugs that are > tagged woody, though. The security team monitors every bugreport tagged security, I had it happen that the security time responed earlier to a bug like that than I had the chance... So, they do already. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]