security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]

To: debian-edu@lists.debian.org
Subject: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
From: Steffen Joeris <Steffen.Joeris@skolelinux.de>
Date: Mon, 8 Jan 2007 22:40:48 +0100
Message-id: <[🔎] 200701082240.53632.Steffen.Joeris@skolelinux.de>
In-reply-to: <[🔎] 45A2B136.6040907@skolelinux.no>
References: <[🔎] 45A2B136.6040907@skolelinux.no>

Hi mates

Thanks to Ronny for summarizing it.
> 2. Bits from the security team for Debian-Edu/Skolelinux 3.0
> White explained about debian-edu spesific security, and the need to keep
> local packages to a minimum. a rough list of packages is
> debian-edu-install, debian-edu-config, CipUX, ltspfs. A better list
> would be a advantage, if someone would compile one. It was decided not
> to define a general rule for the packages. Just say that it should be a
> minimum and leave it to ftpmasters and security team to complain if it
> becomes to many.

As you might know the debian-edu security heavily relied on the debian stable 
security team. Now debian etch is frozen and beside some exceptions it is 
hard to get new package versions in (and I would say that it is impossible to 
get new packages into etch). This means that we will probably ship a couple 
of packages in the debian-edu etch local pool for our 3.0 release. However I 
am not really happy about that, as it means that the security team has to 
spend some additional attention to these special packages, but it seems ot be 
neccessary. I am completely fine with the debian-edu core packages:
debian-edu (and its binaries), 
debian-edu-install and 
debian-edu-config .

I personally do not thing that the debian-edu-artwork package or the 
debian-edu-archive-keyring package need an update (and both do not really 
bother me anyway concerning security).
In addition to these core packages it seems that we need to ship our 
$administration-tool package(s) there as well (which I consider a bad thing 
in general as it should be in debian and has to be in debian unstable and 
later testing anyway).

Another candidate as already mentioned is gnash. If it does not enter etch it 
might be considered as a candidate.
Beside that I do not know of any package we need to keep in the local pool for 
the 3.0 release. If somebody knows of a package, then it should definetely be 
sure that this package is in debian unstable and enters testing as soon as 
possible after the etch release.
If you have such a package and if you are really sure that it is critical for 
debian-edu to ship this package then get it uploaded to the debian-edu pool, 
but bare in mind that the ftpmasters or the security team won't include it, 
so you have to convince them.
So far the bits for the current status.

Thank you all for your great work.

Cheers
Steffen

Attachment: pgphL6Q895gSO.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
  - From: Ronny Aasen <ronny@skolelinux.no>

References:
- summary from the irc meeting 8/1-2007
  - From: Ronny Aasen <ronny@skolelinux.no>

Prev by Date: summary from the irc meeting 8/1-2007
Next by Date: debian-edu-config_0.409+svn30010_i386.changes ACCEPTED
Previous by thread: summary from the irc meeting 8/1-2007
Next by thread: Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
Index(es):
- Date
- Thread