[Secure-testing-team] [Secure-testing-commits] r13025 - data/CVE

Michael Gilbert michael.s.gilbert at gmail.com
Fri Oct 23 02:08:09 UTC 2009


On Thu, 22 Oct 2009 00:04:40 -0500 Raphael Geissert wrote:

> Michael Gilbert wrote:
> [...]
> > 
> > may i re-suggest submitting a bug report when you don't have time to
> > fully triage the issue so we can get more eyeballs on the problem
> > sooner; hopefully leading to a more rapid response time (of course this
> > is assuming an active and caring maintainer, which tends to not be the
> > case most of the time)? it's easy with the report-vuln script.
> > 
> 
> In the case of at least one (IIRC) of the go-oo issues I think it was
> already addressed by a CVE that was assigned to oo.o only. The amsn issue
> is rather old and has probably been already fixed.
> 
> For those reasons I hesitated to file bug reports. Maybe we should bring
> this up again and try to reach a concensus on whether we should try to
> involve maintainers the most (without falling on the "the maintainer is
> handling it so we have nothing to do" side).

i have been under the impression that the security team remains
responsible for issues regardless of whether bug a big is submitted or
not.  i see the bug report as a venue to try to get the maintainer
involved (if they are willing, which sadly isn't often) and to track
detailed progress without overwhelming the tracker.

i think that involving the maintainer does no harm, and we should
certainly not consider issues off our plate just because a bug is
submitted. in fact, we should remain involved as much as possible
throughout the entire lifetime of the issue.

we do need someone to say somewhat forcefully, "security is everyone's
responsibility, so if you get a security report, it should be your
highest priority (in most circumstances)."

mike



More information about the Secure-testing-team mailing list