Re: Long term improvement to Debian's security and LTS
On Sat, Oct 31, 2015 at 04:00:56PM +0100, Raphael Hertzog wrote:
> On Fri, 30 Oct 2015, Moritz Muehlenhoff wrote:
> > > > - improving the security infrastructure
> > That has certainly the best net positive from my point of view.
> From my point of view too. But I'm not sure I would put the same
> emphasis as you on dak related work.
Well we're the ones who use it all the same and you asked us, so...
> I would possibly suggest to work on the security tracker:
> - have stats about security updates on all packages so that we can
> easily identify which packages should be targetted in any pro-active
> security work
> - have stats on the delay between issues appearing in our radar and having
> the issue fixed
> - have stats on the number of open issues in each Debian release
> - https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=security-tracker;dist=unstable
We don't need any of this.
There's already plenty of data sources from the security tracker w/o people
doing the work based on that (like filing bugs for untracked issues, assigning
CVEs to temp issues).
> The general workflow of the security teams can possibly be improved with
> better tools.
All the problems we have are around the archive processing side (with the
low-hanging fruits the onea above).