> we only learned of it after they made a public release.
A what now? Debian's BTS is public, throughout the whole cycle, there was no 'public release'
Unless you mean to say that after a CVE was requested for an issue that had been reported in a
public bug tracking system for months. Which by the way is one of the "good mechanisms" that
are already out there.
When you made a scene about this originally, you were mistaken and I corrected you then, but
clearly your anger has kept you from hearing the facts. Claiming that "Debian" failed to avoid
this sort of problem just goes to show you do not know what you are talking about. The
original submitter of the bug was not a Debian developer and their posting to the Debian BTS
does not constitute Debian failing to use good mechanisms. If you dont know why, I'll tell
you: Debian don't control random people posting bugs to the public system, and once its been
posted, there is nothing that Debian can do to make it go away.
If your idea of good security practices are that Debian should have taken a many month old bug
that had been sitting on a public web site, that has been indexed by search engines, reposted
to many mailing lists, gated to NNTP and forums and wasted time trying to cover that up by
making the bug go away and chasing around google, yahoo, etc. to remove their cache'd
searches, scrubbing our public mailing list archives, asking GMANE to remove from their
archives the posting, etc. and then gone to vendor-sec to ask that a coordinated release was
undertaken... then you have to be out of your mind, or are just slandering Debian because
thats a convenient way to draw attention away from the fact that OpenSSH had a security hole.
Just take the hit, you had a security bug, and it sucked that it got a CVE assigned four days
after you released and were forced to release again. I know it makes you look bad, but don't
blame that on Debian, that makes you look worse.