On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote: > Have a look at the system we use for the testing security team (I always > thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically made > through svn log messages. > > A similar way would be very nice for stable security support as well.
Interesting; I didn't know about this. I suggested to Joey Hess that stable and testing security work should be done by a single security team; one of the benefits of this would be convergence on better tools. > The whole embargo thing about stable security is overrated anyway; as far > as I can see it for May and June only mailutils, qpopper and ppxp were > embargoed, so that they hadn't been publicly known when the DSA was > published (and even for mailutils and qpopper there was a small time frame > of 1-2 days between first vendor fix and the DSA). The majority of all > issues could be handled a lot more transparent, IMO. Yes, non-embargoed issues could be handled more transparently. The best way to deal with non-embargoed issues, of course, is for the package maintainer to prepare an update and send it to the security team. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]