On Mon, Jan 14, 2002 at 12:05:34PM +0000, Tim Haynes wrote: > Adam Warner <[EMAIL PROTECTED]> writes: > > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB > > > > Someone with better knowledge of all the facts might want to comment > > on the claim that "Debian is always the last to fix security holes" > > and the tag team follow up "I've been fighting for months now to try > > to convince them to release an advisory or fix for ftpd..." > Some of us wouldn't dare say such things without at least reviewing > the given distro's security policy, FAQ and history.
> <http://www.debian.org/security/> is over there ---> . Indeed. My only experience with trying to get an exploitable package patched was rather disappointing though. I believe (not being a Debian developer myself) that [EMAIL PROTECTED] goes to debian-private which is only available to developers. It then requires the developer of the package you're reporting about to be awake enough to /do/ something about the bug you are reporting. I had problems with apache whose old maintainer didn't really seem to care (bug 104187 for the gory details) So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. -- ----------( "Have you seen a man who's lost his luggage?" )---------- Simon ----( -- Suitcase )---- Nomis Htag.pl 0.0.19