Re: Long term improvement to Debian's security and LTS

[Moritz Muehlenhoff <jmm@inutil.org>]

On Sat, Oct 31, 2015 at 04:00:56PM +0100, Raphael Hertzog wrote:
> On Fri, 30 Oct 2015, Moritz Muehlenhoff wrote:
> > > > - improving the security infrastructure
> > 
> > That has certainly the best net positive from my point of view.
> 
> From my point of view too. But I'm not sure I would put the same
> emphasis as you on dak related work.

Well we're the ones who use it all the same and you asked us, so...
 
> I would possibly suggest to work on the security tracker:
> - have stats about security updates on all packages so that we can
>   easily identify which packages should be targetted in any pro-active
>   security work
> - have stats on the delay between issues appearing in our radar and having
>   the issue fixed
> - have stats on the number of open issues in each Debian release
> - https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=security-tracker;dist=unstable

We don't need any of this.

There's already plenty of data sources from the security tracker w/o people
doing the work based on that (like filing bugs for untracked issues, assigning
CVEs to temp issues). 
 
> The general workflow of the security teams can possibly be improved with
> better tools.

All the problems we have are around the archive processing side (with the
low-hanging fruits the onea above).
 
Cheers,
        Moritz