Re: Security Support by the Security-Team

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-security@lists.debian.org
Subject: Re: Security Support by the Security-Team
From: Helmut Toplitzer <helmut@toplitzer.net>
Date: Thu, 23 Jun 2005 01:42:25 +0200
Message-id: <[🔎] 200506230142.25697.helmut@toplitzer.net>
In-reply-to: <[🔎] 87is063urz.fsf@deneb.enyo.de>
References: <[🔎] 200506180904.38544.helmut@toplitzer.net> <[🔎] 87is063urz.fsf@deneb.enyo.de>

Hi!

Thanks Florian for your input.
It's nice to hear opinions of people inside debian, but
my remaining question is (and has already been picked up by
the release team in the release meeting minutes), 
how and where the "we are not able to support you" state 
of the security team should be documented for the users of debian.

> It's the only approach that will result in timely fixes of the bugs
> that are important to *you*.  Any vendor team will work within very
> tight constraints (time/budget, architecture support, backporting
So you think that one person (not familiar with the code) can do it
better or has more ressources than the security team + maintainers of 
the packages? 

> "Security is a process"?  Sounds a bit like "faith is a verb".
You are right :-)

> If there's a patch which actually applies to Debian's version, it's
> rather straightforward to apply it to the package and rebuild it,
> especially if you are a bit familiar with Debian's major source
> packaging environments.

If this is the case, why shouldn't it be done by the security team?

>
> If there isn't a patch, the necessary changes are often very complex
> and beyond what a security team can do.  Since Debian has no way to
> assign real developers remotely familiar with the code to work on a
> port to the relevant version, such security updates never happen.

You are right again. But how should this be communicated?
Debian (and every distro) have a quite big base even in a server-setup.
Lot's of packages result in a lot of possible problems for the system and
it's admin. You can't read all security related infos/mailinglists on the
internet. So to me it's a good idea to collect this information and
the homepage of the distro might be the best place (like s.d.o). You need
to communicate in an organized/team effort what hits the distro and what
doesn't (like the CAN/Bugtraq lists on s.d.o). 

I don't want and can't be the advocate of the security team because my work 
in this area is near zero, but to my opinion the s-t is taking the challange
quite well and has clearly defined what their do's/don'ts are.
When I'm reading the last mails I get more and more the impression that you
and others think that the work in s-supporting stable might be better in place
at unstable which I can't support cause this is were upstream gets grip.
(don't want to bash, but I've read them twice and I can't see the support
for the idea of a s-t, maybe I realy misunderstood what you wrote)

So back to the beginning. I like and I'm thankful to get support by the
security team for the stable debian branch, but if this support can't be done 
for whatever reason - I want to get informed about this fact. I will feel
better if this happens.

How do you think about this? 

-

But anyhow. Release team faced already up with this issue so I
don't want to interfere with them until a suggestion is made.


Thank you for reading so far. 
(As I can't keep it shorter I will shut up by now )
Cheers
Helmut

-- 
My GNUpg fingerprint http://www.gnupg.org
4563 F4FB 0B7E 8698 53CD  00E9 E319 35BD 6A91 1656

Reply to:

References:
- Re: Security Support by the Security-Team
  - From: Helmut Toplitzer <helmut@toplitzer.net>
- Re: Security Support by the Security-Team
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: safety of encrypted filesystems
Next by Date: Empty /root/.bash_history
Previous by thread: Re: Security Support by the Security-Team
Next by thread: Re: [SECURITY] [DSA 641-1] New playmidi packages fix local root exploit
Index(es):
- Date
- Thread