[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: changing subjects when discussion becomes slightly off-topic - Was:Re: SSH keys: DSA vs RSA)

Le 16 mai 08 à 15:41, Miriam Ruiz a écrit :

2008/5/16 Thibaut Paumard <paumard@users.sourceforge.net>:

[...] Maybe there should also be a
clasification of packages according to how bad would a bug be in them
for the whole system, so that patches in those could be more carefully

Actually, I seem to remember that the issue of critical packages being maintained by only one person have been pointed out here several times already this year (although I don't remember the particular threads). Certainly, such packages needs a better QA than the rest. By the way, I was under the impression that Ubuntu was claiming a tighter QA for their core system... (tighter than the rest of Ubuntu, perhaps not than Debian).

I can see two approaches to deal with "critical" packages:

- enforcing team maintaining, although I'm not sure that would solve the problem: how can we be certain that each members would cross-check each other's work? Perhaps a double signature could be required, so that we are certain that the source actually reached several maintainer's computers before being uploaded?

- having a special queue where every upload (to those critical packages) needs to be reviewed by a special task force, but that would delay upgrades and there needs to be provisions for urgent security fixes... Perhaps those critical packages can indeed go directly into the pool, but be automatically marked with an RC bug: "needs security review"? That may be silly to mark every "critical" package as RC buggy each time it is uploaded to the archive... But doesn't it make some sense?

Of course both approaches require skilled manpower... I can see that the first approach distributes the workload on potentially more people, while the second one may ensure the better reviews...

There comes then the question of what packages are critical. At first I was thinking the entire set of "required" packages should be considered critical, but that may not be necessary. (And certainly, many packages which are _not_ required are critical as well).

Hope I'm not talking too much non-sense.

Best regards, Thibaut.

Reply to: