Re: [Secure-testing-commits] r11636 - data/CVE
Kees Cook wrote:
> On Fri, Apr 17, 2009 at 09:48:47AM -0400, Michael S. Gilbert wrote:
> > i have one request to improve the process: please submit a 'NOTE' with
> > a link to the ubuntu patch whenever you issue a fix that hasn't been
> > issued by debian yet. this will help to increase the debian security
> > team's awareness of the work that has already been done, and hopefully
> > make it easier/faster to issue fixes. in fact, it would be preferable
> > to get this information during the process of preparing the patch,
> > rather than after the USN is issued.
>
> I think this would be do-able. We don't really have the best integration
> for our -security pocket when it comes to patch extraction. Right now the
> Ubuntu build-thing ("Soyuz") generates debdiff per-upload, but it gets
> easily confused by the -security pocket (i.e. it generate a diff against
> release, not -security origin). I have bugs open for them to get it fixed,
> so this will improve.
>
> Assuming I can generate a URL with a patch (and we'd have up to 5 patch
> URLs, depending on which of our releases were affected), the logic would
> be: if <unfixed> and patch URL exists, add NOTE:. Sounds right?
Sounds right, but please don't invest too much time of it. In most cases,
we use the same patch as provided by upstream or through vendor-sec and the
time needed to verify that a backport is correct is almost identical to
backporting it myself (with a few exceptions, of course). Still, that would
be very nice for review of one's own work.
For Debian we're planning a mailing list, where debdiffs of all source
packages issued through the security-archive are sent to. This way,
any user can review the patches post-release.
> > btw, it's great that you're now pushing your nfu's to debian. at least
> > that work will now get split between the two distros, rather than
> > duplicating the effort. thanks!
>
> Absolutely! I've been doing it for quite a while now, actually. I really
> do want to reduce work for both teams, and this was the lowest hanging
> fruit. Next lowest was putting in <unfixed> entries where Debian still had
> "TODO: check". Not really clear on what's next, though. :)
You can join the Debian Security Team, if you like.
Cheers,
Moritz
Reply to: