[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

[cc'ing -project]

also sprach W. Borgert <debacle@debian.org> [2005.06.27.1525 +0200]:
> Just FYI: The well-known German Heise Newsticker (IT related) has an
> article today with the title "Debian without security update for
> several weeks": http://www.heise.de/newsticker/meldung/61076
> Hm, bad reputation for us...

It was only a question of time. I had asked Joey publicly about this
at Linuxtag, so it's likely that this is the reason for the coverage
by Heise. While I did not want to push Joey into a corner, it was
quite scary to hear him explain that due to his involvement with
Linuxtag, he did not even find the time to read his email. This is
not to blame Joey (without whom we wouldn't be where we are), but
rather a plea for the Debian project to take *immediate* action. If
Joey does not have time, security support just comes to
a screetching halt. Talk about a bottleneck!

Our security team currently consists of five members and two
sectretaries. Joey is hopelessly overworked, but he is still doing
a marvelous job. I do not know anything about the other members as
they do not seem to be very active, neither on IRC nor on the
mailing lists.

The problem is that access to security.debian.org is restricted.
Well, that's a good thing. But it's a problem when it comes to
bottleneck situations as in the current case, when Joey is too
occupied to handle his tasks as security team leader. I don't blame
him at all. Without him, there would probably be far less Linuxtag,
and he is after all not committed to spend 24 hours of his days on

But I do wonder: if Joey was busy for two weeks and
security.debian.org was not working right, what did the other four
members and the two secretaries do?

I think we all agree that we cannot go on like this. We need to add
a lot of redundancy to the team. And with that, I don't mean the one
or two new members Joey promised in his answer to me. With that,
I mean that the size of the archive calls for a security team of 20
people or more.

Security is a delicate domain since Debian does need to ensure
a level of privacy, so calling for complete openness as with other
projects won't work. Obviously, we can't just appoint the first 20
to raise their hands. But what we can do is figure out the skills
needed to successfully work with the team and ensure Debian's

So far, these requirements have been very unclear to me, at least.
There have been times when I was very active, monitoring security
forums and fixing bugs, but the security team never approached me
for help. I do teach security to the professional audience for five
years now, so I would actually claim to have at least the necessary
foundation upon which I can quickly learn to adapt to the processes
of the security team.

I am sure I am not the only one. And I am also sure not to be the
only one without a clue what to do. In general, my experience has
been that security@debian.org is a black hole, and that offers to
help are ignored. Of course, the Debian meritocracy calls for us to
just do something to rise the ladder according to our
accomplishments, but as with the other obscure domains of the Debian
project, which are not open to anyone to just peek at and learn,
it's really difficult to do this when it means working as a blind
person with a couple of mutes.

So at the end of this very long post, I guess I get in line with all
the other folks who'd like to have a statement from the other
members of the security team about what's going on.

At the same time, though, I think we need to take immediate action.
Among the first steps would be the analysis of the status quo. I am
going through the list of CVEs right now. There are *loads*. And
I could need help. I'll ping out to joeyh to see if we could put his
scripts for testing-security to any use.

As soon as we have a list of issues, everyone involved in security
issues should get on the debian-security list (that's what we have)
and add references to bug reports, or open new discussion threads.
From there, we should try to create fixed packages one after the
other and do everything we can to make it as easy as possible for
Joey to upload.

Once we've come back to normal, we should then see what to do about 

Thanks for your patience.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
"i don't think so," said rene descartes. just then, he vanished.

Attachment: signature.asc
Description: Digital signature

Reply to: