1 |
On 12/16/2016 03:33 PM, Rich Freeman wrote: |
2 |
|
3 |
[snip some good stuff] |
4 |
|
5 |
> In any case, fixing the security policy to match reality costs |
6 |
> nothing, and actually following it on the major archs shouldn't cost |
7 |
> THAT much. |
8 |
|
9 |
This certainly makes sense. Ultimately one of the largest obstacle to |
10 |
releasing GLSAs is the manpower to write it, the wait for stabilization |
11 |
is an overlap in time so this is done simultaneously, reduction of the |
12 |
one doesn't necessarily affect the total outcome. So if people care |
13 |
about security, please do sign up to help out the project, we certainly |
14 |
need it. |
15 |
|
16 |
As package maintainers, consider helping the bugs along, a simple |
17 |
example is calling for stabilization when a bump of a stable candidate |
18 |
is in tree, file bug reports when upstream marks a security issue, help |
19 |
find the relevant CVEs etc in bugs. |
20 |
|
21 |
-- |
22 |
Kristian Fiskerstrand |
23 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
24 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |