martin f krafft wrote on 27/06/2005 20:02: > [cc'ing -project] I currently see two problems which require different levels of confidence in the people involved: 1) People monitoring security lists (including non-public ones), fixing security bugs and uploading the fixed packages, handing them over to the second group 2) People monitoring security related uploads by normal maintainers, checking wether the fix is actually in there (and nothing unrelated) and finally moving the package into security.debian.org and announcing them. The most recent security problems, namely in sudo and spamassassin, have both been fixed by the normal maintainer who also uploaded the fixed packages AFAICT. However, those fixed packages never made it to security.debian.org for one reason or another. I think that there should be a core security team, which handles the actual addition of packages to security.debian.org after some verification (this core team basically just gets a reference to or copy of a vulnerability announcement and a package which fixes it). There should be a larger team which monitors security lists, fixes bugs, helps maintainers to fix bugs etc. This way it is hopefully possible to avoid the current situation where fixed packages exist for several weeks but nobody actually moves them to security.debian.org. We should make sure that the core team has as few additional jobs in Debian as possible, trying to avoid them being over-worked. Obviously, it could make sense though to have some or all core team members in the broader team as well. cu, sven PS: I would help the security team if I could, but currently this doesn't seem possible for two reasons: I don't have enough time to even read the most important security lists and I am no DD yet.
Description: OpenPGP digital signature