[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

also sprach Sven Mueller <debian@incase.de> [2005.06.27.2028 +0200]:
> 1) People monitoring security lists (including non-public ones),
>    fixing security bugs and uploading the fixed packages, handing
>    them over to the second group
> 2) People monitoring security related uploads by normal maintainers,
>    checking wether the fix is actually in there (and nothing unrelated)
>    and finally moving the package into security.debian.org and
>    announcing them.
  3) People backporting security fixes.
  4) People fixing packages unattended by their maintainers.

> The most recent security problems, namely in sudo and
> spamassassin, have both been fixed by the normal maintainer who
> also uploaded the fixed packages AFAICT. However, those fixed
> packages never made it to security.debian.org for one reason or
> another.

The problem is actually known. An announcement is under preparation.

> I think that there should be a core security team, which handles
> the actual addition of packages to security.debian.org after some
> verification (this core team basically just gets a reference to or
> copy of a vulnerability announcement and a package which fixes
> it).

Yes, this sounds good. security-ftpmaster.

> There should be a larger team which monitors security lists, fixes
> bugs, helps maintainers to fix bugs etc.

There is a problem with that, namely responsible disclosure. The
team cannot be too big or else the other organisations in the
consortium will object for danger of leakage.

I think what we do need though is an infrastructure which makes it
easier for people to contribute on public issues.

> PS: I would help the security team if I could, but currently this
> doesn't seem possible for two reasons: I don't have enough time to
> even read the most important security lists and I am no DD yet.

No need to be a DD to fix packages and follow them until they appear
on security.debian.org. I know this is not what you want to hear,
but that's just the way it is. As a benefit, the more you help out,
the easier your NM will be (he says and leaves...)

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debianbook.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
"a warm bed in a house sounds a mite better
 than eating a hot dog on a stick
 with an old geezer traveling on a lawn mower."
                                -- alvin straight (the straight story)

Attachment: signature.asc
Description: Digital signature

Reply to: