Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]

To: Steffen Joeris <Steffen.Joeris@skolelinux.de>
Cc: debian-edu@lists.debian.org
Subject: Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
From: Ronny Aasen <ronny@skolelinux.no>
Date: Mon, 08 Jan 2007 23:03:59 +0100
Message-id: <[🔎] 45A2BFCF.1050101@skolelinux.no>
In-reply-to: <[🔎] 200701082240.53632.Steffen.Joeris@skolelinux.de>
References: <[🔎] 45A2B136.6040907@skolelinux.no> <[🔎] 200701082240.53632.Steffen.Joeris@skolelinux.de>

Steffen Joeris wrote:

Hi mates

Thanks to Ronny for summarizing it.
2. Bits from the security team for Debian-Edu/Skolelinux 3.0
White explained about debian-edu spesific security, and the need to keep
local packages to a minimum. a rough list of packages is
debian-edu-install, debian-edu-config, CipUX, ltspfs. A better list
would be a advantage, if someone would compile one. It was decided not
to define a general rule for the packages. Just say that it should be a
minimum and leave it to ftpmasters and security team to complain if it
becomes to many.
As you might know the debian-edu security heavily relied on the debian stablesecurity team. Now debian etch is frozen and beside some exceptions it ishard to get new package versions in (and I would say that it is impossible toget new packages into etch). This means that we will probably ship a coupleof packages in the debian-edu etch local pool for our 3.0 release. However Iam not really happy about that, as it means that the security team has tospend some additional attention to these special packages, but it seems ot beneccessary. I am completely fine with the debian-edu core packages:debian-edu (and its binaries),debian-edu-install anddebian-edu-config .
I personally do not thing that the debian-edu-artwork package or thedebian-edu-archive-keyring package need an update (and both do not reallybother me anyway concerning security).In addition to these core packages it seems that we need to ship our$administration-tool package(s) there as well (which I consider a bad thingin general as it should be in debian and has to be in debian unstable andlater testing anyway).
Another candidate as already mentioned is gnash. If it does not enter etch itmight be considered as a candidate.Beside that I do not know of any package we need to keep in the local pool forthe 3.0 release. If somebody knows of a package, then it should definetely besure that this package is in debian unstable and enters testing as soon aspossible after the etch release.If you have such a package and if you are really sure that it is critical fordebian-edu to ship this package then get it uploaded to the debian-edu pool,but bare in mind that the ftpmasters or the security team won't include it,so you have to convince them.
So far the bits for the current status.

Thank you all for your great work.

ltspfs it's the package providing local device access on ltsp thinclients. it's allready in local and unstable, but not in testing.It's a much asked for feature. And a golden opportunity to standarize ona local device access method. compared to the samba/sshfs/nbd methods inuse now.


Ronny

Reply to:

Follow-Ups:
- Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
  - From: Steffen Joeris <Steffen.Joeris@skolelinux.de>

References:
- summary from the irc meeting 8/1-2007
  - From: Ronny Aasen <ronny@skolelinux.no>
- security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
  - From: Steffen Joeris <Steffen.Joeris@skolelinux.de>

Prev by Date: debian-edu-config_0.409+svn30010_i386.changes ACCEPTED
Next by Date: Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
Previous by thread: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
Next by thread: Re: security for 3.0 [was: Re: summary from the irc meeting 8/1-2007]
Index(es):
- Date
- Thread