We are secure. Or not?

Recent post by aj points the no-end saga of (old-)stable security updates. Indeed, I think the situation is quite worst of what seems in LWN statistics. There are less known bugs not fixed for months. My own reports about proftpd remained parked for a couple of months on both stable and testing secteam lists, for instance. That's the bad news. The good news is that this is true for all distributions (and I will not talk about proprietary software, which could retain security bugs even for years after disclosure). That's not a Debian issue only, folks.

A few personal ideas about security updates:

• There are of course priorities in security issues management, not all bugs are first class ones.
• Security auditing is a slow process and not always upstreams are able to provide fast and decent fixes. A partial fix is not so better than a full one.
  
• I don't know if our secteams use a tracking system off list, with task lists and assignments. It's definitively a good thing to do that, just in case, and maintainers should be able to submit patches and reports to it. One could think we should use BTS for that. I don't think BTS is the most useful tracking system for security, and in some cases things cannot be published before fixes (yes I know, non full disclosures are evil, don't hide problems, etc. but I think responsible reports are better).
  
• A good number of issues are not tracked on BTS. I personally use rarely BTS for security, even for full disclosed issues, when they are not so known (no CANs, no official reports by upstreams, etc.). There are also issues known only by upstreams and me, sometimes. In those cases I only send e-mail to secteams.

UPDATE: indeed, I rembered wrong about proftpd, I found an ack by a testing secteam member about my report on 30th of June. So, they have been responsive, sorry joeyh.