[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: testing/security (was Re: Debian needs more buildds. It has offers. They aren't being accepted.)

On Wed, Feb 18, 2004 at 04:54:34PM -0500, Nathanael Nerode wrote:
> Anthony Towns wrote:
> >On Sat, Feb 14, 2004 at 11:06:39AM -0700, Jamin W. Collins wrote:
> >> On Sun, Feb 15, 2004 at 03:28:54AM +1000, Anthony Towns wrote:
> >> > It's fine that he feels blocked. I feel blocked from getting testing
> >> > working as well as it should because the security team aren't willing
> >> > to support it. Every now and then I try to convince them to change
> >> > their minds. So far they haven't, and don't look like ever doing so,
> >> > but that doesn't make them bad people, and no matter what I want a
> >> > difference answer, or how much I might know about their job, they're
> >> > the ones in the best position to make that call. And until I do the
> >> > job myself or convince someone else to do it, and demonstrate that
> >> > it's doable, I've got no cause to expect _any_ assistance from the
> >> > security team.
> Exactly -- as opposed to the situation with wanna-build, where people offering 
> buildds have cause to expect assistance from the wanna-build access 
> controller.  *sigh*

What makes you think you have any more right to expect help from the buildd
maintainers than the release manager has to expect active support from the
security team?

You know, neither you nor Ingo being developers, there not being
a particularly significant long term problem there to address, the
security team having access to resources that aren't easily duplicated
(the 11 arch restricted-access autobuild network, and early announcements
of security issues) unlike the w-b controllers...

Whatever it is that's made you think that has misled you.

> [..] can offer security updates for their 'testing' packages, and send 
> them to testing-proposed-updates, correct? [..]
> It is also a reasonable way distribute the work.  

The assurance you need to be able to make is "there are no known security
bugs in any of this software"; without centralised tracking of security
issues, and a guarantee that people will respond to issues raised in a
timely fashion, it's not, IMO, reasonable to recommend testing to users
except in very restricted environments. Using t-p-u is entirely possible,
but it doesn't really solve the problem.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

             Linux.conf.au 2004 -- Because we could.
           http://conf.linux.org.au/ -- Jan 12-17, 2004

Attachment: signature.asc
Description: Digital signature

Reply to: