Re: Bits from the Security Team

To: debian-devel@lists.debian.org
Subject: Re: Bits from the Security Team
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Sat, 8 Mar 2014 19:36:23 +0100
Message-id: <[🔎] 1394299886@msgid.manchmal.in-ulm.de>
In-reply-to: <20140305190301.GA2912@pisco.westfalen.local>
References: <20140305190301.GA2912@pisco.westfalen.local>

Moritz Muehlenhoff wrote...

> Security archive
> - ----------------
> 
> * In order to avoid bottlenecks and to open up the security process
>   further we're planning to allow maintainers which are not part of
>   the security team to release security updates on their own. This
>   applies to packages which have frequent vulnerabilities and where
>   the maintainers are involved in the update process anyway.

The current model at least theoretically allows someone (read: the
security team) to review the patch provided by the maintainer. I like
that four-eyes principle and wouldn't want to give it away.

But perhaps you plan is rather about moving the task of the actual
upload to the maintainer *after* some discussion? Or will you stand
being surprising by an unannounced security upload? (This is none of
my business, I'm just curious.)

> Others
> - ------

> * In some cases the scope of security support needs to be limited (e.g
>   webkit-based browsers in Wheezy) and sometimes packages need to
>   end-of-lifed before the security support time frame ends. Currently
>   this information needs to be retrieved from the release notes or
>   announcement mails. We'd like to see a more technical solution which
>   displays the unsupported packages for the installed packages on a
>   specific system. If anyone wants to work on such a script, please
>   contact team@security.debian.org and we can hash out the details.

That's much-needed, especially with an upcoming LTS. Expect mail.

> LTS
> - ---
> 
> * At the moment it seems likely that an extended security support
>   timespan for squeeze is possible. The plan is to go ahead, sort out
>   the details as as it happens, and see how this works out and whether
>   it is going to be continued with wheezy.

At least worth a try. I was wondering whether popcon gather data to
learn how many people will actually use LTS (I think it does).

>   The rough draft is that updates will be delivered via a separate
>   suite (e.g. squeeze-lts), where everyone in the Debian keyring can
>   upload in order to minimise bottlenecks and allow contributions by
>   all interested parties. Some packages will be exempted upfront due
>   to their volatile nature (e.g. some web applications) and others
>   might be expected to see important changes. The LTS suite will be
>   limited to amd64 and i386. The exact procedures will be sorted out
>   soon and announced in a separate mail.

Be prepared to answer some questions, like:

Are maintainers expected to support "leap-frog" upgrades, i.e. from
squeeze-lts to jessie? If no, users will try this anyway at EOL of
squeeze-lts (in two years or so), brace for nasty bug reports. If
yes, some maintainers already might had have dropped the squeeze-to-
wheezy upgrade scripts in their packages, thus possibly causing
breakage. At least I did. No evil intentions, that was before the LTS
discussion came up.

    Christoph

Reply to:

Follow-Ups:
- Re: Bits from the Security Team
  - From: Paul Wise <pabs@debian.org>
- Re: Bits from the Security Team
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Bits from the Security Team
Next by Date: Re: Multiple suspend issues
Previous by thread: Re: Bits from the Security Team
Next by thread: Re: Bits from the Security Team
Index(es):
- Date
- Thread