Re: Stable security support

[Moritz Muehlenhoff <jmm@inutil.org>]

Anthony Towns wrote:
> Since the above, Moritz Muehlenhoff has been added as a security
> secretary and given priveleges to do security updates for testing via the
> security.debian.org infrastructure, but there's been no other activity
> to my knowledge. 

I'm busy with the sarge2 kernel update, I'll come back to you for the
testing queue once this is finished.

Wrt stable; quite a bunch of DSAs are pending.

> The testing-security team haven't issued any advisories
> since about this time in December.

There were some cases, where a DTSA would've been desirable, but noone
had time/didn't care, yes. But generally, the propagation chains have
been rather easy in the past weeks and most updates made it through
regular sid->testing propagation, which is the preferred procedure in
general. There'll be some proposed improvements from my side as well, which
I'll send to secure-testing-team@, once I have a bit more free time.

> There's discussion on the secure-testing-team list on
> this topic [0], and also some discussion led by Moritz about using the
> secure-testing infrastructure to track DSAs.

This is already publicly available, the current state of open security
issues in stable and oldstable is available at
http://idssi.enyo.de/tracker/status/release/stable and
http://idssi.enyo.de/tracker/status/release/oldstable

We still need to sort out some false positives, i.e. packages that have a lower
version number than the recorded sid fix, but which are not vulnerable for
some reason (e.g. the affected code isn't present), but in general the data
quality is quite solid. I expect that we'll have checked the backlog by the
end of next week.

There's also an experimental local frontend in sid since a few weeks. It's
called debsecan and operates on the same data basis.

Cheers,
        Moritz