Re: [Secure-testing-commits] r11636 - data/CVE

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Cc: debian-security-tracker@lists.debian.org, security@ubuntu.com
Subject: Re: [Secure-testing-commits] r11636 - data/CVE
From: Kees Cook <kees@ubuntu.com>
Date: Wed, 29 Apr 2009 12:21:17 -0700
Message-id: <[🔎] 20090429192117.GD8586@outflux.net>
In-reply-to: <[🔎] 20090419170514.7ddcc214.michael.s.gilbert@gmail.com>
References: <E1Lucq1-0001Mg-B4@alioth.debian.org> <20090417093019.GC26526@ngolde.de> <[🔎] 20090417105738.d32fc8c1.michael.s.gilbert@gmail.com> <[🔎] 20090417155041.GV9232@outflux.net> <20090418150136.GA428@ngolde.de> <[🔎] 20090419170514.7ddcc214.michael.s.gilbert@gmail.com>

Hi,

On Sun, Apr 19, 2009 at 05:05:14PM -0400, Michael S. Gilbert wrote:
> hence, i think the following would be a good process for ubuntu
> security triagers:
> 
> 1.  triage issue in ubuntu
> 2.  check status of CVE in debian (debsecan could be used for this)
> 3.  submit bug report to launchpad (with link to debian bug report if
> it already exists)
> 4.  update ubuntu security tracker
> 5.  if no existing debian report, submit bug to bugs.debian.org (note
> that bin/report-vuln in secure-testing svn makes this semi-automated),
> and preferably include a link to the launchpad report so the debian
> maintainer can make use of your existing work
> 6.  wait for email from the debian bts with bug # and update
> data/CVE/list with this info

I should probably describe the two hats I wear: I'm employed by Canonical
to work on Ubuntu's "main" repository, and I'm a Debian Developer with some
of my free time.  Wearing my Debian hat, my time is limited, so I focus
on areas of Debian that interest me.  As it happens, I don't tend to spend
a large amount of my Debian time on security issues, since that's my day
job.  :)

Now, with my Canonical hat on, my role is the same as the other two
Canonical-employed Ubuntu Security Team folks: we are mandated to work on
security issues in "main" and to help facilitate work on "universe".  To
this end, our current workflow for "step 1" above is to map CVEs to
packages in general, and if the package is in "main", we dig further to
identify specifically which versions of packages are affected, etc.  I
would call this "mapping" and "triage".  Since we only triage a subset of
Debian's repository, we are not in a good position to triage everything
for which there is a CVE assigned.  However, since we do mapping for the
entire repository, that's the part of our workflow I've been trying to get
fed back into Debian.  I've been doing this for some time now with NFUs.

I feel that both "mapping" and "triage" are non-trivial tasks and had
assumed that helping with the "mapping" part would be a good thing.
Since the Ubuntu team has many priorities and tasks to juggle beyond
strictly triage work, we cannot commit to doing full triage of everything.
It's not because we don't want to help, but rather because our work
priorities demand our attention in other places.  I do, however, want to
try to help in ways that are useful to Debian, obviously.

The sync of NFUs seems to be generally accepted, so we'll continue to do
that.  Should we continue to attempt to open <unfixed> entries for stuff
that is not yet listed in the Debian tracker?

-Kees

-- 
Kees Cook
Ubuntu Security Team

Reply to:

References:
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: Kees Cook <kees@ubuntu.com>
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: Re: [Secure-testing-commits] r11636 - data/CVE
Next by Date: No tracker pages for DSA-178[34]-1
Previous by thread: Re: [Secure-testing-commits] r11636 - data/CVE
Next by thread: DSA-1771-1 vs. tracker
Index(es):
- Date
- Thread