Re: Bits from the Security Team

To: debian-devel@lists.debian.org
Subject: Re: Bits from the Security Team
From: Steve Langasek <vorlon@debian.org>
Date: Mon, 10 Mar 2008 01:24:27 -0700
Message-id: <[🔎] 20080310082426.GA20374@dario.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20080309220511.GA3834@galadriel.inutil.org>
References: <20080309220511.GA3834@galadriel.inutil.org>

Hi Moritz,

On Sun, Mar 09, 2008 at 11:05:11PM +0100, Moritz Muehlenhoff wrote:
> Use of RT
> =========

> The Security Team is now using Request Tracker to coordinate work 
> and our RT processes have already been refined a lot.
> If you're a package maintainer working towards a security update,
> you're now encouraged to open a ticket directly. You will be kept in
> CC during the life time of the ticket. If you're opening a ticket for
> a security problem, which is not yet publicly known, e.g. if you've
> discovered it by yourself or if you have been contacted by upstream,
> please open a ticket in the "Security - Private" queue. These
> issues will only be visible by the Security Team.

> If you're opening a ticket for a security problem which is publicly
> known, e.g. if it's announced on the project web site, please open a
> ticket in the "Security" queue. These issues will be visible publicly.

As far as I can see, this announcement mail doesn't mention where the RT
instance is running, nor the means of opening a ticket in the appropriate
queue.  Where is this information available?

> We're planning to improve our quality assurance process for security
> updates by providing a public security update beta test program in
> addition to the existing QA done for security updates. 
> During the preparation of security updates, there's an inherent delay
> between the initial upload of the fixed packages and the time until
> the packages have been built on porter machines. This time gap will be
> used for a new security update beta program. The test program will be
> targeted at large installations, which install security updates in a
> test environment before installing them into the production
> environment. This test group will be initially limited.

Is this meant to apply only to unembargoed security updates?  AIUI, the
practice today is that for embargoed security updates, all of the binaries
are kept in the queue until they're ready for release; so I don't really see
a gap when the security update is public but the binary packages aren't
built?

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

Follow-Ups:
- Re: Bits from the Security Team
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Bits from the Security Team
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: dpkg semi-hijack - an announcement (also, triggers)
Next by Date: Re: Bits from the Security Team
Previous by thread: Re: Bits from the Security Team
Next by thread: Re: Bits from the Security Team
Index(es):
- Date
- Thread