On Wed, Apr 07, 2004 at 10:41:24AM +0200, Florian Weimer wrote: > Matt Zimmerman wrote: > > > On Wed, Mar 31, 2004 at 09:22:38AM +0200, Florian Weimer wrote: > > > > > Chad Waters wrote: > > > > > > > Better metric: fix time from vendor's notification date > > > > > > The last DSA was released with a delay of 2.5 years... > > > > No idea what you are talking about. > > http://cert.uni-stuttgart.de/advisories/postgresql_pam_nss.php > http://www.debian.org/security/2004/dsa-469 > > The package wasn't part of potato, that's why the Security Team wasn't > involved. Apparently, the maintainer failed to fix those bugs and the > broken version (or a subsequent one) was released with woody.
You will grant, then, that this isn't quite the same thing as a "DSA [...] released with a delay of 2.5 years [from vendor's notification date]". -- - mdz
