[Secure-testing-team] updated poppler package

[Michael Gilbert]

On Mon, Feb 21, 2011 at 12:12 PM, Michael Gilbert wrote:
> On Mon, 21 Feb 2011 11:16:52 +0000, Jonathan Wiltshire wrote:
>> On Sun, Feb 20, 2011 at 08:30:25PM -0500, Michael Gilbert wrote:
>> > I wonder if it would help to set up a security.debian.org bug tracker
>> > (similar to the release.debian.org [0]) so stuff like this doesn't get
>> > lost?
>>
>> This occurred to me recently but actually it didn't fix the problem I had,
>> so I didn't take it any further.
>>
>> In what cases would bugs be filed against this pseudo-package instead of
>> against the package with the security issue? or do you envisage using the
>> 'affects' feature?
>
> I was thinking that it would be used to categorize/track security
> updates in preparation.  For example, categories could be
> "Stable/oldstable/testing security updates", "Unstable NMUs", etc
> (similar to release.debian.org's "Stable proposed updates", etc). That
> way non-DDs (and even DDs not on the security team) can easily prepare
> an update, send a bug report, and it will be easy for the security team
> to better track what is going on at any particular time.
>
> Bug against the original package would be unchanged.  In fact the
> security.debian.org bugs will usually resolve many other bugs.
>
> An alternative solution would be to add something like a
> data/updates-needing-review file to the security tracker.
>
> Personally I think the release.debian.org solution is ideal since it
> provides a good avenue for continued dialog, and it just plays well
> with the debian infrastructure.

Also, I think this would address the current black-hole-like nature of
security at debian.org.  It doesn't seem appropriate to default to
privacy when most issues are already disclosed.  Lets use a public
resource like the bug tracker by default, and only direct to security@
for rare cases.

Best wishes,
Mike