[Pkg-mediawiki-devel] Early (embargoed) disclosure of upcoming security releases

Jonathan Wiltshire jmw at debian.org
Sat Mar 2 16:27:34 UTC 2013


I wonder if we could co-ordinate early disclosure of forthcoming security
fixes, such as that due on 4th March, to nominated contacts at the
various distributions. I speak only with a Debian hat, of course.

The problem I have currently is that I don't know what the content or
severity of these releases is in advance of the day, and so can't prepare
and test packages satisfactorily ahead of the release. I also can't
guarantee how much spare capacity I have around that time.

If we knew in advance what was coming up, we could prepare packages and
release them immediately after the upstream release. For Debian at least,
we already have the infrastructure to build and test in advance and then
just hit 'go' when the time comes.

This would also give us more time to prepare and test backports to
older versions, such as the 1.15 we currently have in stable and will
have for at least the next 12 months.

I would envisage such advance disclosures being embargoed and encrypted,


Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20130302/7bff50a4/attachment.pgp>

More information about the Pkg-mediawiki-devel mailing list