Re: testing/security (was Re: Debian needs more buildds. It has offers. They aren't being accepted.)
Anthony Towns <firstname.lastname@example.org> writes:
> On Wed, Feb 18, 2004 at 04:54:34PM -0500, Nathanael Nerode wrote:
> > Anthony Towns wrote:
> > >On Sat, Feb 14, 2004 at 11:06:39AM -0700, Jamin W. Collins wrote:
> > >> On Sun, Feb 15, 2004 at 03:28:54AM +1000, Anthony Towns wrote:
> > >> > It's fine that he feels blocked. I feel blocked from getting testing
> > >> > working as well as it should because the security team aren't willing
> > >> > to support it. Every now and then I try to convince them to change
> > >> > their minds. So far they haven't, and don't look like ever doing so,
> > >> > but that doesn't make them bad people, and no matter what I want a
> > >> > difference answer, or how much I might know about their job, they're
> > >> > the ones in the best position to make that call. And until I do the
> > >> > job myself or convince someone else to do it, and demonstrate that
> > >> > it's doable, I've got no cause to expect _any_ assistance from the
> > >> > security team.
> > Exactly -- as opposed to the situation with wanna-build, where people offering
> > buildds have cause to expect assistance from the wanna-build access
> > controller. *sigh*
> What makes you think you have any more right to expect help from the buildd
> maintainers than the release manager has to expect active support from the
> security team?
Because its the job of the wanna-build manager to manage wanna-build.
Its not (yet?) the job of the security team to manage testing.
The difference is between making it their job and making him do his
> You know, neither you nor Ingo being developers, there not being
> a particularly significant long term problem there to address, the
> security team having access to resources that aren't easily duplicated
> (the 11 arch restricted-access autobuild network, and early announcements
> of security issues) unlike the w-b controllers...
All buildds are administrated by a capable buildd admin that is also a
DD. There was never any other requirement posted and a lot of buildds
already run fine that way.
Your comments about someone, that cares for his hardware or time
donations to Debian, not being a DD just shows that you split people
into DDs and non-DDs and from other comments it looks like you also
have a elite-DD group.
Very bad image your projecting. Sorry, but thats how you come across.
> Whatever it is that's made you think that has misled you.
> > [..] can offer security updates for their 'testing' packages, and send
> > them to testing-proposed-updates, correct? [..]
> > It is also a reasonable way distribute the work.
> The assurance you need to be able to make is "there are no known security
> bugs in any of this software"; without centralised tracking of security
> issues, and a guarantee that people will respond to issues raised in a
> timely fashion, it's not, IMO, reasonable to recommend testing to users
> except in very restricted environments. Using t-p-u is entirely possible,
> but it doesn't really solve the problem.