Re: Bad press related to (missing) Debian security
[Martin F Krafft]
>> There should be a larger team which monitors security lists, fixes
>> bugs, helps maintainers to fix bugs etc.
> There is a problem with that, namely responsible disclosure. The
> team cannot be too big or else the other organisations in the
> consortium will object for danger of leakage.
> I think what we do need though is an infrastructure which makes it
> easier for people to contribute on public issues.
There already exist a larger team monitoring security lists, CVE
reports, fixing bugs and helping maintainers fixing bugs etc. It
works in public, and accept help for everyone interested in
participating. It is the testing security team,
<URL:http://secure-testing.alioth.debian.org/>. I believe that all
people interested in helping out with the security work in Debian
should make an effort in this team.
This will directly help the security status of Debian unstable and
testing (security fixes for testing are normally uploaded into
unstable), and indirectly help the stable security team as this team
get a list of security issues to track, proposed patches, knowledge
about the security issues discovered, and thus less work fixing the
publicly known security issues. In addition, it can form a good
recruitment base for the stable security team. Those proving
themselves in the public work with testing security, will be good
candidates for the stable security team.
Isn't this a good way to do it?