[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian/kernel security issues (Was: Re: Bits (Nybbles?) from the Vancouver release team meeting)

On Tue, Mar 15, 2005 at 09:50:22AM +0100, Sven Luther wrote:

> On Mon, Mar 14, 2005 at 04:51:55PM -0800, Matt Zimmerman wrote:
> > On Tue, Mar 15, 2005 at 01:14:30AM +0100, Sven Luther wrote:
> > 
> > > On Mon, Mar 14, 2005 at 06:10:30PM -0500, Andres Salomon wrote:
> > > > Yes, I would like to reiterate that coordination between Martin Pitt, the
> > > > Ubuntu kernel team, and the Debian kernel team has been an invaluable
> > > > resource for Debian; there are a lot of security fixes in Debian
> > > > kernels that were brought to my attention by either Fabio or Martin.
> > > 
> > > Because they are in the security-announce-loop and we are not though, right ? 
> > 
> > Can you restate the question more clearly?  In particular, expand the
> > pronouns "they" and "we", and explain what the security-announce-loop is.
> 
> There is this vendor-specific-security-announce-with-embargo thingy.

...which is the subject of a lot of unfounded speculation by those who are
not familiar with the process.

> To have proper security-in-testing-or-unstable for the kernel, the
> debian-kernel security team, or at least a few members of it, need to be made
> aware of the embargoed security holes, and get a chance to fix them in
> advance, maybe with a private or security non-public copy of our svn tree
> (using svk maybe).

Herbert Xu used to fill this role.  After he resigned, William Lee Irwin (I
believe) volunteered to be the point of contact for security issues.  If
William is not active in this role, the kernel team should nominate someone
else who can be trusted by the security team to work on sensitive issues,
and have them contact the security team.

> This is not a ubuntu related problem though, and the help the ubuntu
> kernel/security team has provided us was invaluable, but it should maybe not
> be necessary if the information was not unrightfully hold from us in the first
> time.

This problem has nothing whatsoever to do with Ubuntu, and I appreciate you
retracting this implication.  Whether you believe in coordinated disclosure
is equally irrelevant; the terms of such information is set by the rightful
party (e.g., the person who discovered it), and to violate those terms would
represent a breach of trust.

-- 
 - mdz
Reply to: