[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-team] Re: Removing insecure packages from etch

dann frazier wrote:
> On Wed, Aug 16, 2006 at 05:07:31AM +0200, Goswin von Brederlow wrote:
> > Could we quantify that somewhat? Is one security bug enough? Are 10?
> > Do we have a delegate that could audit and veto a package already
> > other than the release team? Is that the domain of QA or security?
> > 
> > Maybe any new package (one not in stable already) that has a security
> > bug could be automatically blocked from the next stable release until
> > a source audit by some team (security? qa?) is done? Doing this for
> > every new package is probably too much to ask timewise but for any
> > package known to have one exploit already that seems prudent.
> 
> imo, that is a separate, more proactive problem to solve - and for
> that, metrics will probably need to be created, used, reassessed, etc.

Through the Debian security tracker database we have a solid history of
security problems ranging back to 2004, which gives some useful metrics.
 
> But for now (i.e., for etch), I would think it sufficient for the
> security team to agree that they cannot sanely security support a
> package. I don't think we need a well established process for this, at
> least anything more than consensus within the security team.

I'll file a bug against mantis.

Cheers,
        Moritz
Reply to: