Security work in Debian (Was: Relaxing testing requirements)
> The answer is simple:
For every problem there is a simple and obvious answer which just
happen to be wrong. I believe you ran into one of those. :)
> Not everybody can become a security team member, the required
> technical skills are quite high. There is a VERY high commitment
> requirement as well, so even some of the skilled people do not
> become part of the security team. Besides _that_, most people agree
> that creating new code is more fun than patching existing code, so
> even less people step into that position.
> Remember this is a volunteer project. I know of no extra volunteers
> willing to take up such a task as Security. You repeatedly talk
> about adding man-power to it. So... Are you in?
There are two security teams in effect now. The debian/stable team,
working to make sure the stable release of debian get security fixes
as soon as possible. They get security warnings before the issues
become public knowledge. Membership into this team is not over for
There is also the debian/testing team, working to fix security issues
in the testing release of debian. This team only work with publicly
known information, and is open for everyone interested in helping out
with security fixes for Debian. This second team was created by Joey
Hess as part of his work for Debian Edu, and there are several
volunteers participating in this effort. To participate, check out
<URL:http://secure-testing.alioth.debian.org/>. Debian Edu are trying
to find funding to hire more people to work on security in Debian.
Contact me if you are interested in funding this work. :)
I hope in time the "public" debian/testing security team can become a
good recruitment base for the "private" debian/stable security team.
This will hopefully let us avoid the current problem with the lack of
man-power in the debian/stable security team.