In article <[EMAIL PROTECTED]> you wrote: > mdz told me this isn't done for practical reasons: the BTS isn't very > suitable for tracking which versions are affected, and a sid upload can > close such a bug while it's still in woody. While I think it'd still be > possible without too much hassle, if they don't want to do so, I'm not > going to interfere in that.
Well, I guess anybody is free to open bugs against packages if they hear about vulnerabilities. I guess this even might help in some cases. But I dont think security team can "publish" received vendor alerts before going public date. Effectively this is "hiding", but on the other hand it is also respecting the wishes and requests of others. And not honoring them will quickly lead to debian beeing cut-off from those alerts. So thats why unpublished alerts are not posted. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]