Re: Bad press related to (missing) Debian security
Jan Lühr wrote:
>Greetings,
>
>Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel:
>
>
>>Does anybody know what the actual problem is, i.e. why there are no
>>updates?
>>
>>
>
>This is not an "actual" problem, this problem is rather imho structual. In
>it's last one to two years Woody was starving out of security updates.
>(Samba, Mozilla, Kernel, etc.).
>
>
These are much less of a problem since they deal with either Intranet
only applications (Samba), client side applications (mozilla) or the
kernel that one usually rolls their own for their servers. What I really
care about from Debian security team is up-to-date fixes for server
applications that can be exposed to the Internet. For example, apache,
squid, spamassassin, postfix, sendmail, exim, etc...
This time around, there has been a remote DoS against spamassassin for
quite a while now and no fix. The maintainer of spamassassin fixed the
problem next day (backport) and apparently submitted it to the security
team (at least that's what I've been told), yet there has been no
response whatsoever.
IMHO, the entire structure of the security team should probably be
overhauled. The maintainers should patch the problems (backport,
whatever) and the security team just authorizes the rebuild once they
are happy the fix will not mess up current functionality. How many
people do we need on the actual security team? The current listing states,
# Security Team -- <debian-security-private@lists.debian.org>
/member/ Martin Schulze
/member/ Wichert Akkerman
/member/ Daniel Jacobowitz
/member/ Michael Stone
/member/ Matt Zimmerman
/secretary/ Noah Meyerhans
/secretary/ Steve Kemp
Is this enough?
- Adam
Reply to: