We are secure. Or not?

Recent post by aj points the no-end saga of (old-)stable security updates. Indeed, I think the situation is quite worst of what seems in LWN statistics. There are less known bugs not fixed for months. My own reports about proftpd remained parked for a couple of months on both stable and testing secteam lists, for instance. That's the bad news. The good news is that this is true for all distributions (and I will not talk about proprietary software, which could retain security bugs even for years after disclosure). That's not a Debian issue only, folks.

A few personal ideas about security updates:

• There are of course priorities in security issues management, not all bugs are first class ones.
• Security auditing is a slow process and not always upstreams are able to provide fast and decent fixes. A partial fix is not so better than a full one.
  
• I don't know if our secteams use a tracking system off list, with task lists and assignments. It's definitively a good thing to do that, just in case, and maintainers should be able to submit patches and reports to it. One could think we should use BTS for that. I don't think BTS is the most useful tracking system for security, and in some cases things cannot be published before fixes (yes I know, non full disclosures are evil, don't hide problems, etc. but I think responsible reports are better).
  
• A good number of issues are not tracked on BTS. I personally use rarely BTS for security, even for full disclosed issues, when they are not so known (no CANs, no official reports by upstreams, etc.). There are also issues known only by upstreams and me, sometimes. In those cases I only send e-mail to secteams.

UPDATE: indeed, I rembered wrong about proftpd, I found an ack by a testing secteam member about my report on 30th of June. So, they have been responsive, sorry joeyh.

Open comments are annoying due to spam/trolling

Sorry, but I cannot agree with Kern's observation about blog comments... Unfortunately open blogs and wikis are subject to almost continuous and annoying spamming. I have a few wikis around and I had to close them to proper registered users, in order to avoid that problem. One cannot spend his lifetime to despam manually wikis, by revisioning or what else. Some programs do not allow easily despamming changelogs too.
I would add that a few of them allow easily bot registration also, so they do not protect the blog at all against smart spammers, when comments are activated.
That said, I'm yet quite annoyed by MLs flamewars, I would avoid to see blogs flamewars too and Planet flooding, even if we would live in a perfect world.

Silly bugs in proftpd yet around...

A couple of users pointed me to a few silly and old bugs in proftpd package, never discovered before. Wow, I can really confirm now: more pairs of eyes look at a software, more bugs are found and fixed. Thanks Christoph and Ryo. This is the very special advantage of free software...