| 1 |
On 12/16/2016 03:33 PM, Rich Freeman wrote: |
| 2 |
|
| 3 |
[snip some good stuff] |
| 4 |
|
| 5 |
> In any case, fixing the security policy to match reality costs |
| 6 |
> nothing, and actually following it on the major archs shouldn't cost |
| 7 |
> THAT much. |
| 8 |
|
| 9 |
This certainly makes sense. Ultimately one of the largest obstacle to |
| 10 |
releasing GLSAs is the manpower to write it, the wait for stabilization |
| 11 |
is an overlap in time so this is done simultaneously, reduction of the |
| 12 |
one doesn't necessarily affect the total outcome. So if people care |
| 13 |
about security, please do sign up to help out the project, we certainly |
| 14 |
need it. |
| 15 |
|
| 16 |
As package maintainers, consider helping the bugs along, a simple |
| 17 |
example is calling for stabilization when a bump of a stable candidate |
| 18 |
is in tree, file bug reports when upstream marks a security issue, help |
| 19 |
find the relevant CVEs etc in bugs. |
| 20 |
|
| 21 |
-- |
| 22 |
Kristian Fiskerstrand |
| 23 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 24 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives