Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On Thu, Aug 29, 2013 at 11:59 AM, Martin Zobel-Helas wrote:
> I am raising my hand here. I am willing to support the debian security
> team. I will be able to do that during my paid work time, as my
> employer, credativ, is backing this.
>
> Mid-term goal should be a Debian LTS version, but we can only achieve
> this by enhancing the debian security team.
For yourself and anyone else who wants to get involved:
Maintaining the security tracker data is a great way to start helping
with security stuff:
http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co
https://security-tracker.debian.org/tracker/data/report
Having debsecan (or a nagios check based on it) run on debian.org and
credativ machines could be an interesting way forward. This is likely
to require some triage of incoming issues since many of them are only
a problem under specific conditions.
The security audit efforts need reviving:
http://www.debian.org/security/audit/
Targets for security updates can be found in the links on the front
page of the security tracker:
https://security-tracker.debian.org/tracker/
Procedures for security updates are in devref of course:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
The codesearch site is useful for finding code copies, which are
documented in SVN:
http://codesearch.debian.net/
https://wiki.debian.org/EmbeddedCodeCopies
It is also useful for finding potentially vulnerable code or the
presence of specific issues.
Some other stuff on the wiki:
https://wiki.debian.org/Teams/Security
There are some efforts for running static analysis tools over the
archive, which could be useful for finding more potential security
issues.
http://firewoes.debian.net/
http://qa.debian.org/daca/
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: