Re: [Secure-testing-team] Re: Removing insecure packages from etch
dann frazier wrote:
> On Wed, Aug 16, 2006 at 05:07:31AM +0200, Goswin von Brederlow wrote:
> > Could we quantify that somewhat? Is one security bug enough? Are 10?
> > Do we have a delegate that could audit and veto a package already
> > other than the release team? Is that the domain of QA or security?
> > Maybe any new package (one not in stable already) that has a security
> > bug could be automatically blocked from the next stable release until
> > a source audit by some team (security? qa?) is done? Doing this for
> > every new package is probably too much to ask timewise but for any
> > package known to have one exploit already that seems prudent.
> imo, that is a separate, more proactive problem to solve - and for
> that, metrics will probably need to be created, used, reassessed, etc.
Through the Debian security tracker database we have a solid history of
security problems ranging back to 2004, which gives some useful metrics.
> But for now (i.e., for etch), I would think it sufficient for the
> security team to agree that they cannot sanely security support a
> package. I don't think we need a well established process for this, at
> least anything more than consensus within the security team.
I'll file a bug against mantis.