On Wed, 2008-04-16 at 13:55 +0200, Andrea De Iacovo wrote: > Hi all. > > How do you think a maintainer should manage security issues when he is > not the package developer? Should he/she either work alone to make > patches or wait for the upstream patches/relases that solve the bug?
Notify upstream, work on the patch and stay in communication with upstream as you work. If you get a response from upstream, work together to come up with a complete solution but don't let that process cause undue delay to fixing the problem (especially close to a release, as now). If upstream are busy with other things, solve the problem yourself and make the upload - ask the security team for help with that side if you are unsure. Solve the problem - if upstream come back to you with a different fix later, you can always migrate to that fix. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
signature.asc
Description: This is a digitally signed message part
