* martin f. krafft: >> I don't think so. Joey seems to be satisfied with this situation, > > How would you know?
Joey doesn't ignore all mail, only some of it. > That's because complaints don't actually have any result, so I, for > instance, have stopped. I've pointed to severe problems with Debian > stable security We have problems, sure, but to me, it seems that these mainly come from the impression that the real package maintainers think security work has special trust requirements and is restricted to the security team. Or are there many packages with backported security patches, ready for upload, and the security team does not act on them? I don't think so. Instead, I frequently encountered maintainers who eagerly closed security bugs even though they were still unfixed in oldstable or even stable. [*] The main shortcoming in the area of the security team is lack of documentation of bug fixing policies. Obviously, we don't have full security support in place for packages that have long abandoned by upstream for some classes of bugs (BIND 8, for example) or have principal issues which can't be fixed reliably at reasonable cost (PHP). This must be communicated to our users, and this seems to be a difficult thing to do in the current situation. > I don't think Joey found it necessary just a single time to > articulate a position on the issue of e.g. the three week outage in > the security team throughout June. > > The final announcement that was sent was not authored by Joey, but > by other DDs who were similarly concerned. I wouldn't read too much into that. To some extent, the security team is just a client of Debian's infrastructure. The lack of transparency makes it very hard to analyze failures and put blame on certain individuals or groups of people. > Now we've had another issue of problems with s.d.o, but we had to > learn about them from Heise. Maybe that's because it was a non-issue which didn't affect anyone? 8-) [*] In the past, this was a side effect of how package uploads interact with the BTS. Perhaps version tracking has improved this? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
