Remote crashes being fixed in 2.6.2
Ari Pollak
ari at debian.org
Wed Sep 9 23:25:32 EDT 2009
Josh Bressers wrote:
> One could even use 2.6.0 as an example. There wasn't near the colaboration on
> the patch as there could have been. I was unfortunatly away during that cycle,
> but normally I would have been happy to help test/very the fix is what was
> needed.
Nobody specifically asked for my opinion, but it's been a bit
frustrating with all the security responses in the last month or so.
Having to wade through the threads just to find (or miss) the important
details seems less than ideal. Here are the things I'd love to see
improved to hopefully result in better coordination:
- For embargoed issues, try to have a CVE id, final patch against latest
release, description of the vulnerability, and firm unemargo date.
- For public issues, try to finalize the above information as quickly as
possible.
- E-mail vendor-sec with the CVE/patch/description/date as soon as possible.
- Perhaps make it possible to mark an issue as temporarily-private in
Trac for security bugs?
More information about the Packagers
mailing list