Hi, I'm trying to figure out what we need for security support for squeeze. One blocker I know of is the dak upgrade on security-master, are there other things needed on the security team's side? The release notes also need an update regarding security support. We currently have the following text: > <section id="mozilla-security" condition="fixme"> > <title>Security status of Mozilla products</title> > <para> > <indexterm><primary>Mozilla</primary></indexterm> > The Mozilla programs <systemitem role="package">firefox</systemitem>, > <systemitem role="package">thunderbird</systemitem>, and > <systemitem role="package">sunbird</systemitem> (rebranded in Debian to > <systemitem role="package">iceweasel</systemitem>, <systemitem > role="package">icedove</systemitem>, and <systemitem > role="package">iceowl</systemitem>, respectively), are important tools for > many users. Unfortunately the upstream security policy is to urge users to > update to new upstream versions, which conflicts with Debian's policy of not > shipping large functional changes in security updates. We cannot predict it > today, but during the lifetime of &releasename; the Debian Security Team may come to a > point where supporting Mozilla products is no longer feasible and announce the > end of security support for Mozilla products. You should take this into > account when deploying Mozilla and consider alternatives available in Debian if > the absence of security support would pose a problem for you. > </para> > <para> > <systemitem role="package">iceape</systemitem>, the unbranded version > of the <systemitem role="package">seamonkey</systemitem> internet > suite has been removed from &releasename; (with the exception of a few > internal library packages). > </para> > </section> I suspect that this is still valid (excluding the part about iceape, which is back in squeeze). Should we add a blurb about the webkit-based browsers (epiphany, chromium, konqueror, others?)? If so would anybody like to propose wording? > <section id="webservice-security" condition="fixme"> > <title>Security status of OCS Inventory and SQL-Ledger</title> > <para> > <indexterm><primary>OCS Inventory</primary></indexterm> > <indexterm><primary>SQL-Ledger</primary></indexterm> > The webservice packages <systemitem > role="package">ocsinventory-server</systemitem> and <systemitem > role="package">sql-ledger</systemitem> are included in the &releasename; > release but have special security requirements that users should be aware of > before deploying them. These two webservices are designed for deployment > only behind an authenticated HTTP zone and should never be made available to > untrusted users; and therefore they receive only limited security support > from the Debian security team. Users should therefore take particular care > when evaluating who to grant access to these services. > </para> > </section> Has this changed (I guess not)? Are there other webapps in this category? Finally, are there other packages we know have limited security support, and should be mentioned there? Thanks, Julien
Attachment:
signature.asc
Description: Digital signature