On Fri, 19 Jun 2009 14:31:52 -0400 Michael S. Gilbert wrote: > On Fri, 19 Jun 2009 20:17:18 +0200, Francesco Poli wrote: > > I am aware of this distinction, I just considered the start of (more or > > less) regular DTSA publishing as a sign of Debian Testing Security team > > activity on the testing suite. > > > > Having a (more or less regular) DTSA flow is certainly not enough to > > claim that Debian testing is officially supported security-wise, but > > it's certainly better than not even having DTSAs... ;-) > > agreed, but it may be more useful to actually look at flow (e.g. > DTSAs/month over similar time frames). Definitely, but it would require a more accurate and time-consuming analysis of past DTSAs... I just didn't find the time to perform such analysis. :-( > however, is there any reason to > issue DTSAs when testing is not officially security-supported anyway? > it seems like more work than necessary, especially since eventually the > fixed unstable packages will transition into testing automatically > (without any effort on anyone's part). This line of reasoning seems really strange to me. You seem to say: "since testing is not officially supported, there's no reason to do *anything* that would improve its security". What's next step, then? Intentionally introduce vulnerabilities into testing, since it's not officially supported anyway?!? ;-) You seem to reason as if security were an all-or-nothing, black-or-white thing. I think that there are several gray scales between an ideal 100 % secure system (which is unfortunately impossible to obtain in the real world) and a miserable (security) failure. As a consequence, I think that *anything* that could be done to push Debian testing in the direction of a more secure system, is worth doing. Even *some* DTSAs are better than *no* DTSAs. Even *some* efforts from the Testing Security team, are better than *nothing*. Make no mistake, I am *not* saying that the Testing Security team is doing nothing. As I told in this same thread, I was happy to see a pair of DTSAs and I am pretty sure that many other actions are taken (in a less visible way) to make sure that important security-related fixes are applied to unstable and migrate from unstable to testing as fast as possible. This is *greatly* appreciated, especially if lack of manpower is taken into account! I just think that the goal of the Debian Testing Security team should be to officially support Debian testing *always*, and not only for a few months before a stable release. That's why I was wondering what could be done to improve the situation: a new call for help perhaps, and, at the same time, an automatic mechanism to re-use some DSAs as DTSAs which would be useful, especially early after a stable release, i.e. when it is apparently more difficult to provide good Debian testing security support... -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgp7rjOEl6TPm.pgp
Description: PGP signature