Re: Question for all candidates: Security team
* Henning Makholm <firstname.lastname@example.org> [2005-03-15 12:32]:
> It has been asserted on several occasions over the last few years that
> the security team is overworked and understaffed. This is a problem
> that is hard for the average developer to help with, because someone
> who spontaneously volunteers for the job out of the blue shouldn't be
> entrusted with secrets anyway.
I'll leave your questions to the DPL candidates to them, but I'd like
to point out that your sentence above is factually wrong - I know
there is a common misconception that it's hard to contribute to
security work (and this misconception makes it hard to find
volunteers), but this is not true.
It has been repeatedly pointed out on public mailing lists that you do
not have to be a member of the security team, or even a Debian
developer, to make significant contributions to Debian's security
support. Most of the security work is tracking vulnerabilities,
finding or backporting patches and preparing packages. Anyone can do
that, and the security team has invited people to help with these
tasks. Essentially, you only need a member of the security team to
actually upload the source and publish an advisory, but *everything*
else can be done by other people. People can:
- monitor security lists
- check if bugs reported there apply to Debian
- file bug reports in the BTS
- send patches (either by grabbing them from the security lists, from
other vendors, from upstream, or by writing them)
- prepare packages
- draft advisories
(which is about testing but the same applies to stable) and
give more information.
Furthermore, there has been a long discussion about having a database
to keep better track of security issues. Matt Zimmerman (or a friend
of his) wanted to work on this, but I'm not sure it ever went
anywhere. If he has mails outlining what it needs to do someone
could possibly implement it and thereby help the security team.
Finally, there is also a Debian audit project which helps to improve
security in the long run. http://www.debian.org/security/audit/
(Mail-Followup-To: debian-project since this is imho more appropriate.
maybe even -security but I hope -project will get more people involved
in security work)