summaryrefslogtreecommitdiffstats
path: root/doc/narrative_introduction-testing-security
blob: 8a085d3e907cff456b8a98db705016c8eaefd17e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
	A Narrative Introduction to the Testing Security

Stable security deals with embargoed/vendor-sec issues, we don't, we
deal with issues that have already been assigned CVE numbers (although
we often times request these assignments), have been posted to common
security mailing lists, or are seen in commit logs of software that is
tracked (such as the Linux Kernel).

It is our philosophy that if the Internet knows that there is a
vulnerability in something, then we better know about it and the
package maintainer needs to know about it and it needs to be fixed as
soon as possible. It doesn't make sense to hide issues that everyone
knows about already, in fact users have told us that they prefer to
know not only when a package they have installed is vulnerable (so
they can disable it or firewall it off, or patch it or whatever), but
to also know that Debian is working on a fix. Transparency is what our
users expect, and what they deserve. Tracking publicly known issues
openly (and the occasional unfortunate embargoed issue privately) is
good for the project as a whole, especially the public's perception of
the project.

TODO:
document DTSAs

© 2014-2024 Faster IT GmbH | imprint | privacy policy