[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

martin f krafft wrote on 27/06/2005 20:02:
> [cc'ing -project]

I currently see two problems which require different levels of
confidence in the people involved:
1) People monitoring security lists (including non-public ones),
   fixing security bugs and uploading the fixed packages, handing
   them over to the second group
2) People monitoring security related uploads by normal maintainers,
   checking wether the fix is actually in there (and nothing unrelated)
   and finally moving the package into security.debian.org and
   announcing them.

The most recent security problems, namely in sudo and spamassassin, have
both been fixed by the normal maintainer who also uploaded the fixed
packages AFAICT. However, those fixed packages never made it to
security.debian.org for one reason or another.

I think that there should be a core security team, which handles the
actual addition of packages to security.debian.org after some
verification (this core team basically just gets a reference to or copy
of a vulnerability announcement and a package which fixes it).

There should be a larger team which monitors security lists, fixes bugs,
helps maintainers to fix bugs etc.

This way it is hopefully possible to avoid the current situation where
fixed packages exist for several weeks but nobody actually moves them to

We should make sure that the core team has as few additional jobs in
Debian as possible, trying to avoid them being over-worked. Obviously,
it could make sense though to have some or all core team members in the
broader team as well.


PS: I would help the security team if I could, but currently this
doesn't seem possible for two reasons: I don't have enough time to even
read the most important security lists and I am no DD yet.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: