[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-team] Re: Removing insecure packages from etch

On Thu, Aug 17, 2006 at 02:25:58AM +0200, Goswin von Brederlow wrote:
> > That's currently the domain of the BTS. Anyone could publish sufficient
> > security (RC bugs) in a vulnerable package that it would make it impossible
> > for it to be released. Of course that would only be possible if:
> That wasn't what I suggested (below). The BTS only stops a package
> from being released due to known bugs. I ment that if a package has
> such a bug that it gets still blocked from the next release even if
> the bug is fixed without an audit of the code by e.g. the security
> team.

I know that is not what you suggested, you asked what we currently do, and
what we currently do (audit and security team) is bug through the BTS AFAIK
and that's what might prevent a bug.

> I would rather have less packages in stable so that the security team
> does have enough resources. If a package is in reasonable danger of
> having security bugs then it should not get into stable.

The problem here is determine "reasonable danger" I would say that there are
more chances of unused / unaudited packages having "reasonable danger" than a
package which is widely used and reviewed (even if many bugs have been
found). But that's just my opinion.



Attachment: signature.asc
Description: Digital signature

Reply to: