Re: Bits from the Security Team
Moritz Muehlenhoff wrote...
> Security archive
> - ----------------
>
> * In order to avoid bottlenecks and to open up the security process
> further we're planning to allow maintainers which are not part of
> the security team to release security updates on their own. This
> applies to packages which have frequent vulnerabilities and where
> the maintainers are involved in the update process anyway.
The current model at least theoretically allows someone (read: the
security team) to review the patch provided by the maintainer. I like
that four-eyes principle and wouldn't want to give it away.
But perhaps you plan is rather about moving the task of the actual
upload to the maintainer *after* some discussion? Or will you stand
being surprising by an unannounced security upload? (This is none of
my business, I'm just curious.)
> Others
> - ------
> * In some cases the scope of security support needs to be limited (e.g
> webkit-based browsers in Wheezy) and sometimes packages need to
> end-of-lifed before the security support time frame ends. Currently
> this information needs to be retrieved from the release notes or
> announcement mails. We'd like to see a more technical solution which
> displays the unsupported packages for the installed packages on a
> specific system. If anyone wants to work on such a script, please
> contact team@security.debian.org and we can hash out the details.
That's much-needed, especially with an upcoming LTS. Expect mail.
> LTS
> - ---
>
> * At the moment it seems likely that an extended security support
> timespan for squeeze is possible. The plan is to go ahead, sort out
> the details as as it happens, and see how this works out and whether
> it is going to be continued with wheezy.
At least worth a try. I was wondering whether popcon gather data to
learn how many people will actually use LTS (I think it does).
> The rough draft is that updates will be delivered via a separate
> suite (e.g. squeeze-lts), where everyone in the Debian keyring can
> upload in order to minimise bottlenecks and allow contributions by
> all interested parties. Some packages will be exempted upfront due
> to their volatile nature (e.g. some web applications) and others
> might be expected to see important changes. The LTS suite will be
> limited to amd64 and i386. The exact procedures will be sorted out
> soon and announced in a separate mail.
Be prepared to answer some questions, like:
Are maintainers expected to support "leap-frog" upgrades, i.e. from
squeeze-lts to jessie? If no, users will try this anyway at EOL of
squeeze-lts (in two years or so), brace for nasty bug reports. If
yes, some maintainers already might had have dropped the squeeze-to-
wheezy upgrade scripts in their packages, thus possibly causing
breakage. At least I did. No evil intentions, that was before the LTS
discussion came up.
Christoph
Reply to: