[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security support for squeeze?


I'm trying to figure out what we need for security support for squeeze.
One blocker I know of is the dak upgrade on security-master, are there
other things needed on the security team's side?

The release notes also need an update regarding security support.  We
currently have the following text:

> <section id="mozilla-security" condition="fixme">
> <title>Security status of Mozilla products</title>
> <para>
> <indexterm><primary>Mozilla</primary></indexterm>
> The Mozilla programs <systemitem role="package">firefox</systemitem>, 
> <systemitem role="package">thunderbird</systemitem>, and
> <systemitem role="package">sunbird</systemitem> (rebranded in Debian to
> <systemitem role="package">iceweasel</systemitem>, <systemitem
> role="package">icedove</systemitem>, and <systemitem 
> role="package">iceowl</systemitem>, respectively), are important tools for
> many users.  Unfortunately the upstream security policy is to urge users to
> update to new upstream versions, which conflicts with Debian's policy of not
> shipping large functional changes in security updates.  We cannot predict it
> today, but during the lifetime of &releasename; the Debian Security Team may come to a
> point where supporting Mozilla products is no longer feasible and announce the
> end of security support for Mozilla products.  You should take this into
> account when deploying Mozilla and consider alternatives available in Debian if
> the absence of security support would pose a problem for you.
> </para>
> <para>
> <systemitem role="package">iceape</systemitem>, the unbranded version
> of the <systemitem role="package">seamonkey</systemitem> internet
> suite has been removed from &releasename; (with the exception of a few
> internal library packages).
> </para>
> </section>

I suspect that this is still valid (excluding the part about iceape,
which is back in squeeze).  Should we add a blurb about the webkit-based
browsers (epiphany, chromium, konqueror, others?)?  If so would anybody
like to propose wording?

> <section id="webservice-security" condition="fixme">
> <title>Security status of OCS Inventory and SQL-Ledger</title>
> <para>
> <indexterm><primary>OCS Inventory</primary></indexterm>
> <indexterm><primary>SQL-Ledger</primary></indexterm>
> The webservice packages <systemitem
> role="package">ocsinventory-server</systemitem> and <systemitem
> role="package">sql-ledger</systemitem> are included in the &releasename;
> release but have special security requirements that users should be aware of
> before deploying them.  These two webservices are designed for deployment
> only behind an authenticated HTTP zone and should never be made available to
> untrusted users; and therefore they receive only limited security support
> from the Debian security team.  Users should therefore take particular care
> when evaluating who to grant access to these services.
> </para>
> </section>

Has this changed (I guess not)?  Are there other webapps in this

Finally, are there other packages we know have limited security support,
and should be mentioned there?


Attachment: signature.asc
Description: Digital signature

Reply to: