Re: Stable security support

To: debian-project@lists.debian.org
Subject: Re: Stable security support
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Fri, 6 Jan 2006 16:40:14 +1000
Message-id: <[🔎] 20060106064014.GC5235@localhost.localdomain>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <20051222085924.GB23265@localhost.localdomain>
References: <20051220183337.GB13699@localhost.localdomain> <200512211208.20699.avbidder@fortytwo.ch> <1135164523.2699.25.camel@darwin.os9.nl> <200512220854.42938.avbidder@fortytwo.ch> <20051222085924.GB23265@localhost.localdomain>

On Thu, Dec 22, 2005 at 06:59:24PM +1000, Anthony Towns wrote:
> On Thu, Dec 22, 2005 at 08:54:36AM +0100, Adrian von Bidder wrote:
> > Problem with a GR: it doesn't get any work done.
> > Scenario I:
> >  * some people see something needs doing
> >  * 200+ thread on d-d
> >  * some (other) people are ready to do the work
> >  * the work is done.
> > Scenario II:
> > like the above, but there is a delay of several weeks while a GR confirms 
> > that the work needs doing.
> I doubt there's going to be much happening between now and New Year; so
> holding a GR over that time wouldn't provide much of a delay.

Since the above, Moritz Muehlenhoff has been added as a security
secretary and given priveleges to do security updates for testing via the
security.debian.org infrastructure, but there's been no other activity
to my knowledge. The testing-security team haven't issued any advisories
since about this time in December. Joey's issued about 13 advisories
in that time. There's discussion on the secure-testing-team list on
this topic [0], and also some discussion led by Moritz about using the
secure-testing infrastructure to track DSAs.

For reference, of the 17 DSAs in December, one was a repeat, and the rest
can probably be categorised as:

Debian specific (probably not well known 'til Debian released a DSA):

  [27 Dec 2005] DSA-928 dhis-tools-dns (20051027)
  [23 Dec 2005] DSA-926 ketm (20051116)

Under a week between CVE and DSA: -

Under two weeks between CVE and DSA:

  [21 Dec 2005] DSA-924 nbd (20051210)
  [19 Dec 2005] DSA-923 dropbear (20051211)

Under a month between CVE and DSA:

  [13 Dec 2005] DSA-920 ethereal (20051118)
  [08 Dec 2005] DSA-917 courier (20051116)
  [07 Dec 2005] DSA-916 inkscape (20051121)
  [01 Dec 2005] DSA-914 horde2 (20051116)

Under two months between CVE and DSA:

  [22 Dec 2005] DSA-925 phpbb2 (20051022)
  [12 Dec 2005] DSA-919 curl (20051012)
  [09 Dec 2005] DSA-918 osh (20051027)

Over two months since CVE:

  [29 Dec 2005] DSA-927 tkdiff (20051027)
  [14 Dec 2005] DSA-922 kernel-source-2.6.8 (20050803)
  [14 Dec 2005] DSA-921 kernel-source-2.4.27 (20050803)
  [02 Dec 2005] DSA-915 helix-player (20050819)
  [01 Dec 2005] DSA-913 gdk-pixbuf (20050919)

That may not be entirely fair, but as someone who doesn't follow security
issues too closely, that's the best performance analysis I can come
up with.

Cheers,
aj

[0] http://lists.alioth.debian.org/pipermail/secure-testing-team/2005-December/000625.html

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Stable security support
  - From: Joey Hess <joeyh@debian.org>
- Re: Stable security support
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: the FSF's GPLv3 launch conference
Next by Date: Information abount packages.d.o and experimental
Previous by thread: Re: the FSF's GPLv3 launch conference
Next by thread: Re: Stable security support
Index(es):
- Date
- Thread