also sprach Sven Mueller <debian@incase.de> [2005.06.27.2028 +0200]: > 1) People monitoring security lists (including non-public ones), > fixing security bugs and uploading the fixed packages, handing > them over to the second group > 2) People monitoring security related uploads by normal maintainers, > checking wether the fix is actually in there (and nothing unrelated) > and finally moving the package into security.debian.org and > announcing them. 3) People backporting security fixes. 4) People fixing packages unattended by their maintainers. > The most recent security problems, namely in sudo and > spamassassin, have both been fixed by the normal maintainer who > also uploaded the fixed packages AFAICT. However, those fixed > packages never made it to security.debian.org for one reason or > another. The problem is actually known. An announcement is under preparation. > I think that there should be a core security team, which handles > the actual addition of packages to security.debian.org after some > verification (this core team basically just gets a reference to or > copy of a vulnerability announcement and a package which fixes > it). Yes, this sounds good. security-ftpmaster. > There should be a larger team which monitors security lists, fixes > bugs, helps maintainers to fix bugs etc. There is a problem with that, namely responsible disclosure. The team cannot be too big or else the other organisations in the consortium will object for danger of leakage. I think what we do need though is an infrastructure which makes it easier for people to contribute on public issues. > PS: I would help the security team if I could, but currently this > doesn't seem possible for two reasons: I don't have enough time to > even read the most important security lists and I am no DD yet. No need to be a DD to fix packages and follow them until they appear on security.debian.org. I know this is not what you want to hear, but that's just the way it is. As a benefit, the more you help out, the easier your NM will be (he says and leaves...) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "a warm bed in a house sounds a mite better than eating a hot dog on a stick with an old geezer traveling on a lawn mower." -- alvin straight (the straight story)
Attachment:
signature.asc
Description: Digital signature