David Rees said: > If the vulnerability was that serious, there would be more people > interested in testing the package. In the case of ethereal, it seems > that not many people are interested in the package, hence the low > interest in testing it. http://www.debian.org/News/2003/20031202 Some vulnerabilities only become "Serious" after the fact. So, a package sits in testing for a week, gets pushed to updates. The 1 person that is using it starts to complain about something. This would be a great time to introduce this person to the QA process and get them involved. I think the majority of the time the case would be that a number of people have downloaded that package and not bothered to "official" give it a thumbs up. No news is good news. Using the ethereal example: If you have a serious need for it, then you need to test it. Isn't that part of having "community" updates, that the "community" decides how good the updates are? -- William Hooper
