How to manage security issues when the maintainer is not the developer
On Wed, 2008-04-16 at 13:55 +0200, Andrea De Iacovo wrote:
> Hi all.
> How do you think a maintainer should manage security issues when he is
> not the package developer? Should he/she either work alone to make
> patches or wait for the upstream patches/relases that solve the bug?
Notify upstream, work on the patch and stay in communication with
upstream as you work.
If you get a response from upstream, work together to come up with a
complete solution but don't let that process cause undue delay to fixing
the problem (especially close to a release, as now).
If upstream are busy with other things, solve the problem yourself and
make the upload - ask the security team for help with that side if you
Solve the problem - if upstream come back to you with a different fix
later, you can always migrate to that fix.