[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Questions regarding the Security Secretary Position



I'm awfully sorry for the delay, but I wasn't able to work on this
earlier again.

Here's a list of questions and answers that came up with the posting I
made last week.

Q: Is a requirement being a Debian developer?

   No.  It is my understanding that it would be good to have "fresh
   blood" in the team.  Working on security can cost a lot of time,
   thus it could even be helpful not being a Debian developer since
   that implies active package maintenance as well.  However, similar
   knowledge is very helpful, and may be required when working on
   issues.

Q: How much time is required to fill the position?

   That's something I don't know.  When I started with Debian
   Security, it was easy to do, there were two architectures, about
   1000 packages and not too many security incidents reported.

   This has changed.  We're at some 5000 packages, often there are
   more than two security incidents reported per week which we'll have
   to investigate, and there are six released architectures, probably
   12 for the next release.

   I can imagine that this job requires about 10-20 hours per week.
   However, it's possible that there are a couple of weeks where no
   work is to be done.  One has to expect that this position requires
   a lot of time.

Q: Are you open to finding a small (2-3 person) team to fill this role?

   Yes, I am open to this idea.  This would be based on my practise of
   forming a team in order to make it less dependant of one person
   (see listmaster, debian-admin, security etc.).

   However, the more people are involved, the more coordination has to
   be done.  On the other side, security is crucial and we should do
   anything that can improve the situation.

Q: How will the person/team come up to speed?

   I can't parse the question.

   In my announcement I wrote several tasks that this person/team
   would have to work on.  I forgot documentation thouth.  Please see
   <http://lists.debian.org/debian-security-0109/msg00225.html>

Q: What are the personal requirements?

   At least one of the secretary team needs to be able to code in C
   and understand Debian packaging as well as security incidents.  It
   would be useless if the person won't understand how an exploit
   works.

   If more than one person is going to fill this position than a
   second person could specialize on tracking problems and
   documentation while the first person works on details, programming
   and fixing.

   A lot of spare time is required as well.

Q: What is the method you will choose this person?

   The current Debian Security Team will discuss volunteers and
   appoint 1-3 persons.

Regards,

	Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Attachment: pgpT5hXbZ3xLK.pgp
Description: PGP signature


Reply to: