On Tue, 2021-12-28 at 19:46 +0100, max wrote: > Debian's security updates are created by volunteers working in their > spare time. Some packages may receive more attention than others. To > view the current list of known unfixed vulnerabilities see > https://security-tracker.debian.org/tracker/status/release/stable
This isn't entirely factual either. The LTS team is mostly composed of people being paid to contribute, with some volunteers. Some of the stable security team may also be paid, but there isn't any public information about who is paid and who they work for. https://wiki.debian.org/LTS/Team https://wiki.debian.org/LTS/Funding I suggest contacting the stable and LTS security teams to draft a statement that best represents the current and future reality of Debian security updates. https://www.debian.org/security/faq#contact https://wiki.debian.org/LTS#Get_in_contact https://wiki.debian.org/LTS/Contact > (Side note: It seems that NVD tends to assign "medium" severity to > vulnerabilities initially, but upgrades them to "high" or "critical" > later. However, Debian keeps showing the initial severity rating) Please send a patch, issue or mail about that separately. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
