[Secure-testing-team] [pkg-horde] Security Management for Horde packages

Moritz Muehlenhoff jmm at inutil.org
Thu Feb 7 21:48:39 UTC 2008


On Thu, Feb 07, 2008 at 08:56:15PM +0100, Gregory Colpart wrote:
> On Thu, Feb 07, 2008 at 07:57:56PM +0100, Nico Golde wrote:
> > > 
> > > > Why not just sending a mail to the vendor-sec list?
> > > 
> > > Because Gregory and Ola are not on that mailing list, and can't be,
> > 
> > You can still be put in the CC though....
> > 
> > > because not member of the Debian security teams? And having the
> > > maintainers in the loop is a Good Thing (tm)?
> > 
> > Writing to vendor-sec should be the correct solution at 
> > least that's what vendor-sec is exactly for, the vendors 
> > will get the problem, discuss patches and fix with 
> > upstream developers and other vendors...
> 
> I request that vendor-sec list will be subscribe to Horde vendor
> list. Then Debian stable security team will have the informations
> via vendor-sec and Debian maintainers also via horde-vendor.

That won't work. Vendor-sec is only for distributors, the only
software project which is subscribed by itself is security at kernel.org

Just tell Horde to do it like the other projects: If an issue
is found send a mail to vendor-sec at lst.de (everyone can send mail
to it) and they'll be CCed on replies. The Horde folks should also
setup a packagers-list (which includes you and Ola), which will
can be CCed as well. (That's how X.org and many other projects
handle it).

Please pass upstream our thanks for this initiative, that's a big
step forward.

Cheers,
        Moritz



More information about the Secure-testing-team mailing list