Re: Some ideas from the "Supporting 15.000 packages" BoF

To: debian-qa@lists.debian.org
Subject: Re: Some ideas from the "Supporting 15.000 packages" BoF
From: Roberto C. Sánchez <roberto@connexer.com>
Date: Sat, 7 Jul 2007 12:08:18 -0400
Message-id: <[🔎] 20070707160818.GA18207@santiago.connexer.com>
Mail-followup-to: debian-qa@lists.debian.org
In-reply-to: <[🔎] slrnf8vbh5.70a.jmm@inutil.org>
References: <20070625230750.GB8502@qamar> <[🔎] slrnf8vbh5.70a.jmm@inutil.org>

On Sat, Jul 07, 2007 at 05:15:49PM +0200, Moritz Muehlenhoff wrote:
> 
> debtags seemed the most passable choice. I believe we need:
> * [etch|lenny]-security-unsupported to flag that a source package has no
>   support by the Security Team. It should be distribution-specific to
>   allow revoking support for individual suites, as it was necessary for
>   Mozilla in Sarge.

Naturally, this should be used sparingly and even then only when
absolutely necessary.  The Sarge Mozilla is an excellent example of
that.  The security team did everything it could and then only was
support suspended as a last resort.

> * local-use-only (or something similar, I'm unsure about the exact naming),
>   to indicate that security support only applies to local, trusted users.
>   An example: SQL-Ledger has a horrible security track record, so we only
>   support to run it behind an authenticated HTTP zone. It's still a useful
>   software and limiting support is a viable choice; doing accounting carries
>   a whole lot of implicit trust anyway.
> 
I agree with this in principle.  However, if "limited" security support
is something which will be an official part of the security team's
support, then there must be guidelines.  That is, the security team (or
the package maintainer with the approval of the security team) should
provide guidelines as to exactly what security support will provided and
what security support will not be provided.  IIRC, something like this
has already been done for PHP regarding safe mode.  In this way,
administrators can know which configurations will receive security
support and which will not.

I would recommend that if this is to be come something that applies to
more than one or two packages, then a new file needs to be introduced.
Call it SECURITY.Debian (similar to README.Debian).  That way, the mere
existence of the file alerts the user/admin to special considerations
which need to be examined for that package's security support.  The
admin can then read the contents of the file to find the security team's
position on supporting that package.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Some ideas from the "Supporting 15.000 packages" BoF
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Some ideas from the "Supporting 15.000 packages" BoF
Next by Date: Processed: Still broken
Previous by thread: Re: Some ideas from the "Supporting 15.000 packages" BoF
Next by thread: Bug#431670: Still broken
Index(es):
- Date
- Thread