[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Stable security support

Hey all,

As people following planet will already know, I've been working updating
dak (aka katie, the Debian archive kit, and dinstall) to support splitting
the queue of not-yet-released security updates into "unembargoed"
and "embargoed" sections, primarily so that folks from the testing
security group can do their work on the official security.debian.org
infrastructure, without stepping on vendor-sec toes [0]. My blog posts
on the topic are at:


I think that's done now, to the point where, given some minor fixes
(noted in the most recent post above), the testing security guys can
support testing updates on security.d.o without interfering with the
stable security team.

The other aspect of the work is that it should enable the stable security
team to include members who aren't on the vendor-sec privilege list,
and thus share the load a bit more.

There's already been some public concern about the way stable security's
handled, such as:


    -- "Security Team interaction, transparence, scaleability,
        infrastructure and communication"


    -- "The recent security advisories showed some fundamental problems with
        the security support for mozilla. ..."


    -- DPL report on Oldenburg security meeting

    -- Debian compares poorly to other distributions


    -- my summary of the above, includes links to prior news articles


    -- LWN: "it is worth noting that this is the first Debian kernel
       update since sarge was released last June."


    -- Andres Salomon (dilinger)'s blog posts about kernel security issues

Further, my understanding is that some of the recent "delegate" activity,
such as:




have the security team issues as a major underlying motivation.

Having been poking at security support for about a month now, I can
make a couple of further notes to the above. One is that Joey's been
going it alone more than people have realised -- beyond simple things
like the majority of the team members (3 of the 5 full members) being
delisted at Oldenburg because they've been inactive for ages, there are
also things like ftpmaster not being aware of breakage in the uploading
functionality for at least a month, and the kernel team not getting back
to Joey about security updates for two months. The security secretaries
don't have permissions to do terribly much work, and as a consequence
aren't terribly familiar with the tools involved either -- thus limiting
the support they can provide too.

There are two comments from private conversations with the two current
security team members (Joey and mstone) that I think are worth repeating.
The first is in the context of talking to Joey about the overall changes
to the security infrastructure I was implementing:

   <Joey> No, I would like to gather input from the others as well.
     <aj> hrm, i've already talked to some others, who were you thinking of?
   <Joey> mstone, noahm, skx
     <aj> hrm, they got the original mail; i don't want to keep delaying this - 
          it's already been a week since that mail, and a month since i've been 
          working on this
   <Joey> I'd rather delay the implementation and make it real.
     <aj> i wouldn't, and at some point i'm going to have to say "it's ftpmaster's 
          job to maintain the dak-sec infrastructure"
   <Joey> It's not a pressing issue for the security team and there are
          more important items currently.
     <aj> it's a pressing issue for the rest of the project

The second is from mstone, in the context of having people use the unembargoed
infrastructure to work on updates to stable, and assist the security team in
that way.

    On Thu, Dec 15, 2005 at 01:21:37PM +1000, Anthony Towns wrote:
    >TBH, I think adding people immediately is the better strategy

    Well, I disagree. Our fundamental problem has been figuring out what
    needs doing and tracking who's doing what. We're trying to address that,
    and until we do adding people doesn't really help; we just can't scale.

Both quotes pretty much go to the same point: that the security team's
got enough on its plate at the moment, that trying to add people as well
is just too much work. And that's a hard point to argue with: stable
security support is very important, and even if we're already doing
a bad job, doing *worse* and screwing over our users as a consequence
isn't really acceptable, even if there are long term benefits.

But if that's not acceptable, and leaving things as they are isn't
good either, then what's the alternative? The only reasonable one I
can see is for the rest of the project to stop bitching and take on
the responsibility of restructuring our security support into something
that works well, without taking time or support away from Joey in the
meantime. I'm therefore thinking it's worth considering a GR that
the project resolve something like the following:

    * The project expects the highest possible level of security
      support for it users, and in particular that if we don't provide
      better support than every other comparable distribution at all
      times, we are beneath our own expectations.

    * As such, security support for Debian 3.0 and 3.1 has been beneath
      Debian's expectations.

    * The existing security team is operating at capacity in providing
      ongoing security support at present, and as a result, expecting
      the security team to devote time and resources to resolving the
      issue will cause Debian's security support to slip further beneath

    * In order to avoid this, the project thus accepts that it is the
      responsibility of the project at large to resolve this issue.

    * As such:

        - the project authorises a team consisting of Joey Hess,
          Steve Langasek and Micah Anderson to review the stable security
          team's processes and resources and recommend any changes
          they believe appropriate. With the Project Leader's approval,
          these recommendations shall be put into effect.

        - the project authorises the immediate addition of Martin Pitt
          to the stable security team, with the expectation that he will
          make every effort to ease the load on the existing members,
          in so far as that is possible while ensuring his work does
          not conflict or impede that of the existing members.

        - the project authorises and expects all due assistance to be
          provided to the review team and security team in carrying
          out these activities, particularly by the Debian System
          Administration team in ensuring access is available to
          information on how the team is operating, and by the FTP Master
          team in ensuring the capabilities of the security infrastructure
          meet both existing and new expectations.

    * The project offers the security team its thanks and congratulations
      for their efforts to date, and expects the activities noted above
      to be undertaken with the respect and courtesy due the individuals
      who have singlehandedly provided Debian with security support over
      recent years.

I'm not especially obsessed by the people I've named, and I've no real
idea if any of them would actually want to be involved.

FWIW, my reasoning was something like this: Joey Hess started the testing
security people and has written a recent blog article [1] that could be
taken as a comparison of the stable and testing security infrastructures;
Micah's a member of the testing security team and has been trying out
the unembargoed stuff I implemented on security.d.o recently, and also
contributed a fair bit to the security team TaskDescriptions wiki page
mentioned above; and I'd imagine either release manager would have a
vested interest in ensuring security support for etch doesn't become a
showstopper. I also tried picking people who probably weren't interested
in working on stable security updates themselves, and who hadn't gotten
obviously frustrated with the problems already.

Martin Pitt has, aiui, expressed an interest in joining the security team
in the past, already has access to vendor-sec via his Ubuntu work, and
has been feeding updates to the existing security team already. Testing
security team members, kernel security guys, or the existing secretaries
might make equally good or better people to add immediately too.

Anyway, those are my thoughts, and I'm speaking only for myself. I think
it's worth considering the possibility of the project taking a more
active approach to resolving these issues rather than just increasing
the pressure on the security team to resolve it themselves, and I think
the above approach is in keeping with the volunteer nature of Debian
and has a hope of working. YMMV.


[0] vendor-sec is a fairly private list to contact vendors about security
    issues so they can produce fixes for their uses before the
    vulnerability is made public knowledge. It's got fairly strict
    disclosure rules.

[1] http://kitenet.net/~joey/blog/entry/ending_the_tyranny_of_unix_permissions-2005-12-06-19-03.html

Attachment: signature.asc
Description: Digital signature

Reply to: