January 22, 2022 3:51:28 PM CET "Andrew M.A. Cater" <amaca...@einval.com> wrote:
> Debian does fix security problems The question is when: 0 days or 6 months after the CVE announcement? I mean, if you need 6 months, that's fine. Just don't claim that you do it in 0 days. That's dishonest. Does this make sense? > Debian can feel free to set its own ratings But you can't call them "NVD severity", because NVD refers to the National Vulnerability Database. They do their own analysis of vulnerabilities, that some people find trustworthy. You can't just make up your own numbers and claim that they are the NVD ratings. That name is taken. > You use the term falsehood - as if [all of] Debian were consistently lying to > all its users. Debian is an organization. It's publishing certain statements on its web site that are false. How the misdeeds of an organization are shared among its members is an interesting philosophical question, but I don't believe I opined on it. -- Sent with https://mailfence.com Secure and private email
