Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master

To: Christian Schwarz <schwarz@monet.m.isar.de>
Cc: debian-devel@lists.debian.org, Christian Hudon <chudon@ee.mcgill.ca>
Subject: Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master
From: Peter Tobias <tobias@et-inf.fho-emden.de>
Date: Sun, 20 Jul 1997 01:47:23 +0200
Message-id: <[🔎] 19970720014723.17183@zaphod>
In-reply-to: <[🔎] Pine.LNX.3.96.970719232653.14049A-100000@monet>; from Christian Schwarz on Sat, Jul 19, 1997 at 11:28:58PM +0200
References: <[🔎] m0wpgCO-00IdUGC@golem.pixar.com> <[🔎] Pine.LNX.3.96.970719232653.14049A-100000@monet>

On Jul 19, Christian Schwarz wrote:
> > I think the security manager needs to have the authority to make
> > changes to packages when he feels it's necessary. Response time to bugs
> > that have been generally known for months is not an issue so much as is
> > response time to bugs we're just finding out about. If the package maintainer
> > doesn't like the fix, it's up to the package maintainer to issue a subsequent
> > package.
> > 
> > The security manager should coordinate with package maintainers, and get them
> > to do the fix if they can do so in a timely fashion, but it's his call if
> > something needs to be fixed rigt away and he decides to fix it on his own.
> 
> I agree that the security manager has the authority to make interim
> releases without asking on debian-devel or the maintainer in "emergency
> situation". However, even the security manager has to follow our policy in

IMHO he should _always_ try to contact the maintainer (and maybe even
the upstream maintainer) first! The maintainer normally knows the package
_much_ better than a security manager. If the maintainer doesn't answer in
about 24/48 hours the security manager can upload an interim release.

> that case. That is, he/she has to file a bug report against the package
> providing info and a u-diff for the maintainer about the changes he/she
> has done.

Hmm, there are situations where it is not a good idea to make the bug
report and the source patch immediately public. About 2 years ago there
was a serious security hole in a program which is also part of the netstd
package. The guys at MIT (who found the bug) and CERT asked the people
(vendors) who received the information about the bug to not release this
information about the bug until all vendors had a chance to fix the program
and release a bug fix package and the users had a chance to install the
update. Remember that some of the security holes allow the people to get
(root) access to a remote machine! The sysadmin should have a chance to
protect his systems.

BTW: can we please make it mandatory for the security officer to
make an announcement on the appropriate security lists (linux-security
and maybe a new debian-security-announce). This should at least be done
for bug reports that have been reported via bugtraq or linux-security.

Thanks,

Peter

-- 
Peter Tobias <tobias@et-inf.fho-emden.de> <tobias@debian.org> <tobias@linux.de>
PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02  04 62 89 6C 2F DD F1 3C 

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master
  - From: bruce@pixar.com (Bruce Perens)
- Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master
  - From: Christian Schwarz <schwarz@monet.m.isar.de>

Prev by Date: Re: non-US reorganization (was Re: Bug#11333: dependency problem in ssh?)
Next by Date: Re: update: autocompiling working
Previous by thread: Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master
Next by thread: Re: Uploaded ld.so 1.8.10-2.1 (source i386) to master
Index(es):
- Date
- Thread