On Wed, 2008-04-16 at 13:55 +0200, Andrea De Iacovo wrote:
> Hi all.
>
> How do you think a maintainer should manage security issues when he is
> not the package developer? Should he/she either work alone to make
> patches or wait for the upstream patches/relases that solve the bug?

Notify upstream, work on the patch and stay in communication with
upstream as you work.

If you get a response from upstream, work together to come up with a
complete solution but don't let that process cause undue delay to fixing
the problem (especially close to a release, as now).

If upstream are busy with other things, solve the problem yourself and
make the upload - ask the security team for help with that side if you
are unsure.

Solve the problem - if upstream come back to you with a different fix
later, you can always migrate to that fix.

--


Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/