[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

Matt Zimmerman wrote on 27/06/2005 20:26:
> On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote: 
> 
>>are happy the fix will not mess up current functionality. How many
>>people do we need on the actual security team? The current listing states,
>>
>># Security Team -- <debian-security-private@lists.debian.org>
>>     /member/ Martin Schulze
>>     /member/ Wichert Akkerman
>>     /member/ Daniel Jacobowitz
>>     /member/ Michael Stone
>>     /member/ Matt Zimmerman
>>     /secretary/ Noah Meyerhans
>>     /secretary/ Steve Kemp
>>
>>Is this enough?
> 
> I expect it would be enough if they were all active, but that has never been
> the case for this group.  Wichert, Daniel, Michael and myself are all de
> facto inactive for various reasons, and have been for some time.

So what you are saying is basically:
The security team currently is Martin Schulze who has two secretaries
(whatever a secretary for the security team might do).

> The security team has always been a difficult one to expand.  A strong level
> of trust is necessary due to confidentiality issues, and security support is
> a lot of (mostly boring and thankless) work. 

Like I said in another mail, the security team should probably consist
of two groups (which migt have some intersection). However the level of
trust needed to get on the security team shouldn't be so high that only
one active member is on the team. Given the size of Debian and the fact
that the only remaining active member of the team is overworked due to
his many activities in Debian (I thank him for everything he does and
did), I would say that at least five new members should be found for the
team.

> However, expanding it seems like the only way to make it sustainable.

Obviously. And I also have to say: If you haven't been active on the
team for some time, you should have made that clear on the listing. I
really can't understand how you (as a group) could let it get this far.
If most of the group is inactive, you should at least find the time to
accept some new members into the group (and I know many have offered
their help).
I understand that there needs to be some level of trust, so you probably
should appoint some person you can trust for one reason or another.
However, while I see that a high level of trust is needed for access to
non-public security lists, I don't see why Debian as a whole should
require a substantly higher level of trust for security uploads than for
normal uploads. Though I wouldn't want every maintainer to have the
ability to directly upload to security.d.o, I wouldn't have a problem
assigning an almost random number of them the ability and responsibility
to do so.

BTW: If he accepted, I would recommend Martin F. Krafft to get on the team.

cu,
sven
Reply to: