[cc'ing -project] also sprach W. Borgert <debacle@debian.org> [2005.06.27.1525 +0200]: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... It was only a question of time. I had asked Joey publicly about this at Linuxtag, so it's likely that this is the reason for the coverage by Heise. While I did not want to push Joey into a corner, it was quite scary to hear him explain that due to his involvement with Linuxtag, he did not even find the time to read his email. This is not to blame Joey (without whom we wouldn't be where we are), but rather a plea for the Debian project to take *immediate* action. If Joey does not have time, security support just comes to a screetching halt. Talk about a bottleneck! Our security team currently consists of five members and two sectretaries. Joey is hopelessly overworked, but he is still doing a marvelous job. I do not know anything about the other members as they do not seem to be very active, neither on IRC nor on the mailing lists. The problem is that access to security.debian.org is restricted. Well, that's a good thing. But it's a problem when it comes to bottleneck situations as in the current case, when Joey is too occupied to handle his tasks as security team leader. I don't blame him at all. Without him, there would probably be far less Linuxtag, and he is after all not committed to spend 24 hours of his days on Debian! But I do wonder: if Joey was busy for two weeks and security.debian.org was not working right, what did the other four members and the two secretaries do? I think we all agree that we cannot go on like this. We need to add a lot of redundancy to the team. And with that, I don't mean the one or two new members Joey promised in his answer to me. With that, I mean that the size of the archive calls for a security team of 20 people or more. Security is a delicate domain since Debian does need to ensure a level of privacy, so calling for complete openness as with other projects won't work. Obviously, we can't just appoint the first 20 to raise their hands. But what we can do is figure out the skills needed to successfully work with the team and ensure Debian's quality. So far, these requirements have been very unclear to me, at least. There have been times when I was very active, monitoring security forums and fixing bugs, but the security team never approached me for help. I do teach security to the professional audience for five years now, so I would actually claim to have at least the necessary foundation upon which I can quickly learn to adapt to the processes of the security team. I am sure I am not the only one. And I am also sure not to be the only one without a clue what to do. In general, my experience has been that security@debian.org is a black hole, and that offers to help are ignored. Of course, the Debian meritocracy calls for us to just do something to rise the ladder according to our accomplishments, but as with the other obscure domains of the Debian project, which are not open to anyone to just peek at and learn, it's really difficult to do this when it means working as a blind person with a couple of mutes. So at the end of this very long post, I guess I get in line with all the other folks who'd like to have a statement from the other members of the security team about what's going on. At the same time, though, I think we need to take immediate action. Among the first steps would be the analysis of the status quo. I am going through the list of CVEs right now. There are *loads*. And I could need help. I'll ping out to joeyh to see if we could put his scripts for testing-security to any use. As soon as we have a list of issues, everyone involved in security issues should get on the debian-security list (that's what we have) and add references to bug reports, or open new discussion threads. From there, we should try to create fixed packages one after the other and do everything we can to make it as easy as possible for Joey to upload. Once we've come back to normal, we should then see what to do about Thanks for your patience. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "i don't think so," said rene descartes. just then, he vanished.
Attachment:
signature.asc
Description: Digital signature