Hi! Thanks Florian for your input. It's nice to hear opinions of people inside debian, but my remaining question is (and has already been picked up by the release team in the release meeting minutes), how and where the "we are not able to support you" state of the security team should be documented for the users of debian.
> It's the only approach that will result in timely fixes of the bugs > that are important to *you*. Any vendor team will work within very > tight constraints (time/budget, architecture support, backporting So you think that one person (not familiar with the code) can do it better or has more ressources than the security team + maintainers of the packages? > "Security is a process"? Sounds a bit like "faith is a verb". You are right :-) > If there's a patch which actually applies to Debian's version, it's > rather straightforward to apply it to the package and rebuild it, > especially if you are a bit familiar with Debian's major source > packaging environments. If this is the case, why shouldn't it be done by the security team? > > If there isn't a patch, the necessary changes are often very complex > and beyond what a security team can do. Since Debian has no way to > assign real developers remotely familiar with the code to work on a > port to the relevant version, such security updates never happen. You are right again. But how should this be communicated? Debian (and every distro) have a quite big base even in a server-setup. Lot's of packages result in a lot of possible problems for the system and it's admin. You can't read all security related infos/mailinglists on the internet. So to me it's a good idea to collect this information and the homepage of the distro might be the best place (like s.d.o). You need to communicate in an organized/team effort what hits the distro and what doesn't (like the CAN/Bugtraq lists on s.d.o). I don't want and can't be the advocate of the security team because my work in this area is near zero, but to my opinion the s-t is taking the challange quite well and has clearly defined what their do's/don'ts are. When I'm reading the last mails I get more and more the impression that you and others think that the work in s-supporting stable might be better in place at unstable which I can't support cause this is were upstream gets grip. (don't want to bash, but I've read them twice and I can't see the support for the idea of a s-t, maybe I realy misunderstood what you wrote) So back to the beginning. I like and I'm thankful to get support by the security team for the stable debian branch, but if this support can't be done for whatever reason - I want to get informed about this fact. I will feel better if this happens. How do you think about this? - But anyhow. Release team faced already up with this issue so I don't want to interfere with them until a suggestion is made. Thank you for reading so far. (As I can't keep it shorter I will shut up by now ) Cheers Helmut -- My GNUpg fingerprint http://www.gnupg.org 4563 F4FB 0B7E 8698 53CD 00E9 E319 35BD 6A91 1656 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]