also sprach Sven Mueller <debian@incase.de> [2005.06.27.2028 +0200]:
> 1) People monitoring security lists (including non-public ones),
> fixing security bugs and uploading the fixed packages, handing
> them over to the second group
> 2) People monitoring security related uploads by normal maintainers,
> checking wether the fix is actually in there (and nothing unrelated)
> and finally moving the package into security.debian.org and
> announcing them.
3) People backporting security fixes.
4) People fixing packages unattended by their maintainers.
> The most recent security problems, namely in sudo and
> spamassassin, have both been fixed by the normal maintainer who
> also uploaded the fixed packages AFAICT. However, those fixed
> packages never made it to security.debian.org for one reason or
> another.
The problem is actually known. An announcement is under preparation.
> I think that there should be a core security team, which handles
> the actual addition of packages to security.debian.org after some
> verification (this core team basically just gets a reference to or
> copy of a vulnerability announcement and a package which fixes
> it).
Yes, this sounds good. security-ftpmaster.
> There should be a larger team which monitors security lists, fixes
> bugs, helps maintainers to fix bugs etc.
There is a problem with that, namely responsible disclosure. The
team cannot be too big or else the other organisations in the
consortium will object for danger of leakage.
I think what we do need though is an infrastructure which makes it
easier for people to contribute on public issues.
> PS: I would help the security team if I could, but currently this
> doesn't seem possible for two reasons: I don't have enough time to
> even read the most important security lists and I am no DD yet.
No need to be a DD to fix packages and follow them until they appear
on security.debian.org. I know this is not what you want to hear,
but that's just the way it is. As a benefit, the more you help out,
the easier your NM will be (he says and leaves...)
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debianbook.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
"a warm bed in a house sounds a mite better
than eating a hot dog on a stick
with an old geezer traveling on a lawn mower."
-- alvin straight (the straight story)
Attachment:
signature.asc
Description: Digital signature