[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian/kernel security issues (Was: Re: Bits (Nybbles?) from the Vancouver release team meeting)


Andres Salomon [2005-03-16  2:43 -0500]:
> >>>> You seem to be implying that ubuntu is providing you with confidential
> >>>> prior warning about kernel security holes, but I really doubt this,
> >>> 
> >> 
> >> Actually, that was the case for a while (before ubuntu's kernel team went
> >> on vacation, and I went on vacation).  However, w/ all the vacations
> >> that have been happening, it hasn't been the case for a few months.
> >> 
> >> 
> > 
> > Rather, I was mistaken; they were things that had already been made
> > public.

Right, I never gave away details about undisclosed issues. At most I
said to you "hey, there is another issue that will be published in two
days, so rather wait with an upload".

> And, as a perfect example;
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0210
> This has already been made public, and has been fixed in Ubuntu kernels
> for 2 days.  Sure would be nice the cve folks to let the rest of us in on
> it, eh?

Mitre generally lacks behind fairly badly with this. I think it is
genrally easier to coordinate with the Ubuntu kernel and security
teams. I track all issues that affect the Ubuntu kernel (which mostly
affect Debian as well) and generally know patch URLS etc. Also, you
can always get patches from the source packages, or get them from the
arch repository.

But in the long run I think it would be easier to apply for vendor-sec
subscription. Joey is already subscribed, but since he does not deal
with unstable updates, it would be good to have Andres on board.
Personally I would apreciate and support Andres' subscription to


Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: