Re: [Secure-testing-commits] r11636 - data/CVE

To: Kees Cook <kees@ubuntu.com>
Cc: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, security@ubuntu.com, debian-security-tracker@lists.debian.org
Subject: Re: [Secure-testing-commits] r11636 - data/CVE
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 20 Apr 2009 20:10:57 +0200
Message-id: <[🔎] 20090420181057.GA11668@galadriel.inutil.org>
In-reply-to: <[🔎] 20090417154327.GU9232@outflux.net>
References: <E1Lucq1-0001Mg-B4@alioth.debian.org> <[🔎] 20090416231038.1aa62fd5.michael.s.gilbert@gmail.com> <[🔎] 20090417064000.GT9232@outflux.net> <[🔎] 20090417094847.86662292.michael.s.gilbert@gmail.com> <[🔎] 20090417154327.GU9232@outflux.net>

Kees Cook wrote:
> On Fri, Apr 17, 2009 at 09:48:47AM -0400, Michael S. Gilbert wrote:
> > i have one request to improve the process:  please submit a 'NOTE' with
> > a link to the ubuntu patch whenever you issue a fix that hasn't been
> > issued by debian yet.  this will help to increase the debian security
> > team's awareness of the work that has already been done, and hopefully
> > make it easier/faster to issue fixes.  in fact, it would be preferable
> > to get this information during the process of preparing the patch,
> > rather than after the USN is issued.
> 
> I think this would be do-able.  We don't really have the best integration
> for our -security pocket when it comes to patch extraction.  Right now the
> Ubuntu build-thing ("Soyuz") generates debdiff per-upload, but it gets
> easily confused by the -security pocket (i.e. it generate a diff against
> release, not -security origin).  I have bugs open for them to get it fixed,
> so this will improve.
> 
> Assuming I can generate a URL with a patch (and we'd have up to 5 patch
> URLs, depending on which of our releases were affected), the logic would
> be: if <unfixed> and patch URL exists, add NOTE:.  Sounds right?

Sounds right, but please don't invest too much time of it. In most cases, 
we use the same patch as provided by upstream or through vendor-sec and the
time needed to verify that a backport is correct is almost identical to
backporting it myself (with a few exceptions, of course). Still, that would
be very nice for review of one's own work.

For Debian we're planning a mailing list, where debdiffs of all source
packages issued through the security-archive are sent to. This way,
any user can review the patches post-release. 
 
> > btw, it's great that you're now pushing your nfu's to debian.  at least
> > that work will now get split between the two distros, rather than
> > duplicating the effort.  thanks!
> 
> Absolutely!  I've been doing it for quite a while now, actually.  I really
> do want to reduce work for both teams, and this was the lowest hanging
> fruit.  Next lowest was putting in <unfixed> entries where Debian still had
> "TODO: check".  Not really clear on what's next, though.  :)

You can join the Debian Security Team, if you like.

Cheers,
        Moritz

Reply to:

References:
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: Kees Cook <kees@debian.org>
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: [Secure-testing-commits] r11636 - data/CVE
  - From: Kees Cook <kees@ubuntu.com>

Prev by Date: Re: DSA-1771-1 vs. tracker
Next by Date: unsupported packages
Previous by thread: Re: [Secure-testing-commits] r11636 - data/CVE
Next by thread: Re: [Secure-testing-commits] r11636 - data/CVE
Index(es):
- Date
- Thread