Joe Smith wrote: > How about if it meets the folowing critieria: > > 1. it has been in testing for 10 days (been in sid at least 20 days)
This means the security hole was disclosed at least 20 days ago, probably more. > 2. Iff it fixes a critical security problem, uploaded to security (This > requires security team and/or stable RM approval). Requiring more manual action, give this at least a few days I'd say. So we're looking at leaving our users exploitable for the better part of a month, before we even release an update, in the *best case* under this procedure. I think we can generally expect that a package like Mozilla Firefox will take more than 10 days to get into testing, especially if we're in the middle of, say, a C++ transition. Also, its quite possible the maintainer convincing the security team to release the update, and then the security team actually doing so, could take another week (remember, Mozilla takes a while to autobuild, too). This could easily leave our users vulnerable for over a month. Is that really acceptable on today's Internet? It doesn't take long at all for exploit code to be written and released into the wild. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
