Re: Debian Security Support in Place
(open letter to the debian security team)
on friday, 8th july 2005 07:58 Martin Schulze wrote:
> The Debian project confirms that the security infrastructure for both
> the current release Debian GNU/Linux 3.1 (alias sarge) and the former
> release 3.0 (alias woody) is working again. The security team is now
> able to provide updates on a regular basis again.
> There were several issues with the security infrastructure after the
> release of sarge, that lead to the Debian security team being unable
> to issue updates to vulnerable packages. These issues have been fully
> resolved, and the infrastructure is working correctly again.
Nice to hear, thanks to all. You obviously spent a lot of time and efforts in
restoring debian security. Thanks.
But maybe, some rather constructive critism is required as well- and
ehm, well, to be honest, imho this is not satisfying:
It has never been official announced, that the security infrastructure is not
working. It is quite confusing, that you report the end of problems you
haven't reported at first, furthermore if the end of this problem justifies
an official debian announce, the beginning of this problem should have been
Knowing a security problem is imho probably more important than knowing not
having a problem, because, a security problem requires defensive actions.
Another point is the explanation.
"several issues with the security infrastructure" can probably mean anything.
From failing power supplying units up to conflicts within the security team.
By that the explanation is not satisfying, too.
There has been a few rumours in joey's blog, but anyway, I'm missing official
statements / announces, why this had happend (technically and
non-technically) how it was solved, and how it is prevent in the future - and
I guess, others are missing 'em as well.
Looking back to the break-in 2003, this issue was handled very good and
transparent. Imho this was a good example how things can be handled -
thus going on that way ought to be quite better.
Thanks for your patience,