[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian/kernel security issues (Was: Re: Bits (Nybbles?) from the Vancouver release team meeting)

On Tue, Mar 15, 2005 at 08:51:30AM -0800, Matt Zimmerman wrote:
> On Tue, Mar 15, 2005 at 09:50:22AM +0100, Sven Luther wrote:
> 
> > On Mon, Mar 14, 2005 at 04:51:55PM -0800, Matt Zimmerman wrote:
> > > On Tue, Mar 15, 2005 at 01:14:30AM +0100, Sven Luther wrote:
> > > 
> > > > On Mon, Mar 14, 2005 at 06:10:30PM -0500, Andres Salomon wrote:
> > > > > Yes, I would like to reiterate that coordination between Martin Pitt, the
> > > > > Ubuntu kernel team, and the Debian kernel team has been an invaluable
> > > > > resource for Debian; there are a lot of security fixes in Debian
> > > > > kernels that were brought to my attention by either Fabio or Martin.
> > > > 
> > > > Because they are in the security-announce-loop and we are not though, right ? 
> > > 
> > > Can you restate the question more clearly?  In particular, expand the
> > > pronouns "they" and "we", and explain what the security-announce-loop is.
> > 
> > There is this vendor-specific-security-announce-with-embargo thingy.
> 
> ...which is the subject of a lot of unfounded speculation by those who are
> not familiar with the process.
> 
> > To have proper security-in-testing-or-unstable for the kernel, the
> > debian-kernel security team, or at least a few members of it, need to be made
> > aware of the embargoed security holes, and get a chance to fix them in
> > advance, maybe with a private or security non-public copy of our svn tree
> > (using svk maybe).
> 
> Herbert Xu used to fill this role.  After he resigned, William Lee Irwin (I
> believe) volunteered to be the point of contact for security issues.  If
> William is not active in this role, the kernel team should nominate someone
> else who can be trusted by the security team to work on sensitive issues,
> and have them contact the security team.
> 
> > This is not a ubuntu related problem though, and the help the ubuntu
> > kernel/security team has provided us was invaluable, but it should maybe not
> > be necessary if the information was not unrightfully hold from us in the first
> > time.
> 
> This problem has nothing whatsoever to do with Ubuntu, and I appreciate you
> retracting this implication.  Whether you believe in coordinated disclosure
> is equally irrelevant; the terms of such information is set by the rightful
> party (e.g., the person who discovered it), and to violate those terms would
> represent a breach of trust.

I never made any such implication, not even sure what implication you are
speaking about here. I only mentioned that the current kernel team has no
access to the vendor-sec stuff, and as such it is logical that the help flows
from ubuntu (who has access to it, right ?) since the ubuntu kernel team has a
couple of weeks advance notice of the problems. Other problems also flow the
other way around though.

Friendly,

Sven Luther
Reply to: