Re: Security team plans for the squeeze cycle

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: debian-release@lists.debian.org
Subject: Re: Security team plans for the squeeze cycle
From: Rainer Dorsch <rdorsch@web.de>
Date: Wed, 2 Sep 2009 22:15:37 +0200
Message-id: <200909022215.37365.rdorsch@web.de>
In-reply-to: <20090830174746.GJ18728@galadriel.inutil.org>
References: <87zla0ext7.fsf@pindar.marcbrockschmidt.de> <20090830174746.GJ18728@galadriel.inutil.org>

Moritz,

I remember sometime ago a posting telling that there is no testing security 
support for a while, but did not yet see an announcement that squeeze 
security support is in place. Did I miss it or is testing still w/o security 
support?

Many thanks,
Rainer

Am Sonntag, 30. August 2009 schrieb Moritz Muehlenhoff:
> Dear release people,
>
> > As announced on dda [RT1], we want to get an impression when releasing
> > Squeeze is feasible. We have proposed a (quite ambitious) freeze in
> > December 2009, and some developers have noted that their planned changes
> > wouldn't be possible in this time frame. So, to find out when releasing
> > would work for most people, it would be great if you could answer the
> > following questions:
> >
> > Do you have any big changes planned? How much time would they take, and
> > what consequences are there for the rest of the project?
> >
> > How many "big" transitions will the upcoming changes cause? When should
> > those happen? Can we do something to make them easier?
>
> We discussed the hardening options at DebConf: We would like to see
> -fstack-protector", "-D_FORTIFY_SOURCE=2", "-Wformat" and
> "-Werror=format-security" set as default build flags through
> dpkg-buildpackage for at least i386 and amd64 (some embedded archs don't
> implement it). We need to run more benchmarks before filing a bug about
> this, but we don't expect much fallout caused by build failures.
>
> Shortening the release time frame causes some difficulties: Security
> support for oldstable ends one year after the release of stable or with the
> release of stable+1. Having a release one year after Lenny release will be
> difficult for large organisations.
>
> The initial announcement of the new release plans contained the idea to
> support upgrades to Lenny to Debian 7.0. We don't have the resources to do
> that, supporting the current state of affairs is difficult enough.
>
> Cheers,
>         Moritz



-- 
Rainer Dorsch
Lärchenstr. 6
D-72135 Dettenhausen
07157-734133
email: rdorsch@web.de
jabber: rdorsch@jabber.org
GPG Fingerprint: 5966 C54C 2B3C 42CC 1F4F  8F59 E3A8 C538 7519 141E
Full GPG key: http://pgp.mit.edu/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Security team plans for the squeeze cycle
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Bug#542325: do not upload stuff re mysql / octave / ...-transition
Next by Date: Re: libicu40 rdep problems
Previous by thread: Re: libicu40 rdep problems
Next by thread: Re: Security team plans for the squeeze cycle
Index(es):
- Date
- Thread