Re: Bad press related to (missing) Debian security

To: debian-security@lists.debian.org
Subject: Re: Bad press related to (missing) Debian security
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 27 Jun 2005 17:26:23 -0700
Message-id: <[🔎] 20050628002623.GS9833@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20050627235654.GA6326@informatik.uni-bremen.de>
References: <[🔎] 1119878719.42bffe3fdf2ba@webmail.in-berlin.de> <[🔎] 200506271550.24151.waja@gmx.de> <[🔎] 1119880458.22070.237235052@webmail.messagingengine.com> <[🔎] 200506271700.29891.jluehr@gmx.net> <[🔎] 42C04102.10307@zombino.com> <[🔎] 20050627182637.GN9833@alcor.net> <[🔎] 20050627183612.GN3081@morgul.net> <[🔎] 20050627205128.GL9591@mathom.us> <[🔎] 20050627235654.GA6326@informatik.uni-bremen.de>

On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote:

> Have a look at the system we use for the testing security team (I always
> thought it originated in the security team):
> http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html
> 
> This system is so efficient that most communication is basically made
> through svn log messages.
> 
> A similar way would be very nice for stable security support as well.

Interesting; I didn't know about this.  I suggested to Joey Hess that stable
and testing security work should be done by a single security team; one of
the benefits of this would be convergence on better tools.

> The whole embargo thing about stable security is overrated anyway; as far
> as I can see it for May and June only mailutils, qpopper and ppxp were
> embargoed, so that they hadn't been publicly known when the DSA was
> published (and even for mailutils and qpopper there was a small time frame
> of 1-2 days between first vendor fix and the DSA).  The majority of all
> issues could be handled a lot more transparent, IMO.

Yes, non-embargoed issues could be handled more transparently.  The best way
to deal with non-embargoed issues, of course, is for the package maintainer
to prepare an update and send it to the security team.

-- 
 - mdz

Reply to:

References:
- Bad press related to (missing) Debian security
  - From: "W. Borgert" <debacle@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Jan Wagner <waja@gmx.de>
- Re: Bad press related to (missing) Debian security
  - From: "Carl-Eric Menzel" <calle-debian@bitforce.com>
- Re: Bad press related to (missing) Debian security
  - From: Jan Lühr <jluehr@gmx.net>
- Re: Bad press related to (missing) Debian security
  - From: Adam Majer <adamm@zombino.com>
- Re: Bad press related to (missing) Debian security
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Michael Stone <mstone@debian.org>
- Re: Bad press related to (missing) Debian security
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Bad press related to (missing) Debian security
Next by Date: Re: Bad press related to (missing) Debian security
Previous by thread: Re: Bad press related to (missing) Debian security
Next by thread: Re: Bad press related to (missing) Debian security
Index(es):
- Date
- Thread