[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Seeking for a Debian Security Secretary

Current problems with Debian Security have led me into reconsidering
this issue which I thought about one year ago or so.  Debian Security
is very crucial to our users and thus should be managed properly.

To help improve the situation I'm offering a very important job within
the Debian project.  I'd like to have somebody who will help the core
Debian Security Team doing their work.  This seems to be required
since all members of the Security Team have other important things to
do and still don't know how to fork(2) themselves.

This position requires:

 . Discussing security problems with the Security Team, as well as
   with third parties.

 . Notifying the Security Team of incidents they haven't noticed

 . Maintaining an internal list of security incidents, both resolved
   and unresolved.

 . Reminding members of the Debian Security Team until they release an
   advisory or decide that Debian is not vulnerable to a particular

 . Ensure that not only packages in stable but also in the unstable
   distribution contain security fixes.  This implies continuesly
   kindly reminding package maintainers, eventually also preparing
   releases or NMUs for unstable with help of the QA or Security Team.

 . Extract security patches from other vendors' security fixes for
   further investigation by the the Security Secretary or the Debian
   Security Team.

 . Preparing security patches together with the Debian Security Team.

This is done by:

 . Reading and understanding bugtraq.

 . Monitoring[2] others distributions security advisories (at least
   Immunix, Trustix, EnGarde, Caldera, RedHat, SuSE, Mandrake and
   Conectiva, the more the better).  This should be done by
   subscribing to other vendors security lists.

 . Reading and understanding mail on the private list of the Debian
   Security Team.


[1] From time to time the Security Team forgets about security issues.
    It is very time-consuming doing research for old issues, but it
    has to be done.

[2] This could help http://www.infodrom.ffis.de/Linux/security/, but
    it is also not complete enough.



The good thing about standards is that there are so many to choose from.
	-- Andrew S. Tanenbaum

Attachment: pgprdHUM_8ywB.pgp
Description: PGP signature

Reply to: