[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing



* Sven Luther <sven.luther@wanadoo.fr> [2003-05-16 13:33]:
>   Such a package should be as close to possible to the version actually
>   in testing, and not depend on packages and/or versions that are not
>   yet in testing.

 So, you request more or less that every developer should backport fixes
themself from the usual new upstream version that fixes the problem (and
mostly always have new features too) to the version in testing, which
might even be older than just one upstream release, due to usual holdups
in the transition. It sounds like you like to have every developer be
able to do what the security team does. That requires much skill -- much
more than most of us possess!

 I for my part don't think that I could spend enough efforts in doing
this correct, and I don't think that I'm that far below average in
skills of the usual debian developer.

 What _is_ needed to do it correct to make it work is having people that
are *willing* to do such backport fixes -- and still people only keep
repeating that it is needed and needed, but still noone is stepping
forward to do the actual work. I for my part would be pleased to be of
help when it's needed, but I'm afraid that I lack of skill to be in the
core team (hell, I'm JAPH, with some C knowledge, but when it comes to
python, C++, java or whatever I'm out of luck), left aside the time
constraints I'm currently facing.

> Also, we could add 2 things, first the RM assitants, which are debian
> developers who have voluntereed to help the RM in this, and have the
> right to give the green light to uploads.

 Off topic: I haven't seen it on d-d-a, are they decided yet? Just
curious.

> Second, what could be done about NMUs. Maybe a small group of apprentice
> security team members could scan the security announcements, and prepare
> NMU of such security holed packages, in close contact with the
> maintainer and the RM or his assistants, or maybe even the security
> team, especially if the problems are also present in stable packages.

 This is nothing new and was said over and over again -- just that noone
yet seem to have raised interest to do the work! Sorry for my pessimism
but I doubt that this thread will really make anyone step forward this
time....  I'd love to be told otherwise!

> So, with such an announcement, everyone wins

 Noone wins if noone likes to do the work, like I said before in this
thread. It would just make us look even more awkward, I guess.

> the maintainer will be able to fix things in testing more easily

 I've I understand you correct it wouldn't be easy, for backporting
fixes seldom is easy.

 So long!
Alfie
-- 
<Alfie> I have  a little problem with a bug-report I received... *scratch*
<doogie> Alfie: I send those to /dev/null
                                  -- #debian-devel

Attachment: pgpChr0026G0B.pgp
Description: PGP signature


Reply to: