Joe Smith wrote:
> How about if it meets the folowing critieria:
>
> 1. it has been in testing for 10 days (been in sid at least 20 days)

This means the security hole was disclosed at least 20 days ago,
probably more.

> 2. Iff it fixes a critical security problem, uploaded to security (This
> requires security team and/or stable RM approval).

Requiring more manual action, give this at least a few days I'd say.

So we're looking at leaving our users exploitable for the better part of
a month, before we even release an update, in the *best case* under this
procedure.

I think we can generally expect that a package like Mozilla Firefox will
take more than 10 days to get into testing, especially if we're in the
middle of, say, a C++ transition. Also, its quite possible the
maintainer convincing the security team to release the update, and then
the security team actually doing so, could take another week (remember,
Mozilla takes a while to autobuild, too).

This could easily leave our users vulnerable for over a month. Is that
really acceptable on today's Internet? It doesn't take long at all for
exploit code to be written and released into the wild.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]