Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)

To: Herwig Wittmann <herwig-amazon@atnet.at>
Cc: debian-security@lists.debian.org
Subject: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Fri, 15 Jul 2005 12:57:28 +0200
Message-id: <[🔎] 20050715105728.GC9320@A-Eskwadraat.nl>
In-reply-to: <[🔎] Pine.LNX.4.56.0507141713050.23334@face.atnet.at>
References: <m1Dsksq-000ojEC@finlandia.Infodrom.North.DE> <[🔎] Pine.LNX.4.56.0507141713050.23334@face.atnet.at>

On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote:
> Hi!
> 
> I am trying to understand if my organization can rely on the debian
> security announcement mailing list as only source of security alerts in
> the future.
> 
> This would be very convenient- but the delay that seems to have passed
> between the original squirrelmail security announcement and the time I
> received the alert via security@debian.org is worrying:
> 
> The Vulnerability seems to have been described a few weeks ago:
> http://www.squirrelmail.org/security/issue/2005-06-15
> 
> The Debian Security Advisory 756-1 is dated July 13th, 2005.
> 
> 
> I do not want to rude in any way- please try to excuse my way of putting
> things, but does anybody have a prediction how probable it is for such a
> thing to happen again?

There were two issues. When a security release for the first one was
prepared (28 june), I was (by my comaintainer, member of squirrelmail
security) as Squirrelmail maintainer informed about it.  After
discussing with the security team and my co-maintainer, we decided to
make it one update, also considering the severity of the issue, and
limited available time on my part at least.  The DSA was released on the
same day as the second issue was published (embargo expired).

So, the delay was a judgement call, and I still think it was the right
thing to do, especially since it took a bit of time to find a suiteable
patch for some of the more hairy issues (esp in woody). The biggest
reason though might have been that I had not much time at all the past
weeks for this.

Do note that the buildd network for security had nothing to do with
this, as squirrelmail is a purely architecture: all package.

> Is there a role/function in debian that is responsible for reviewing
> bugtraq or similiar sources, and is ensured that this role is fulfilled
> every day?

The security team follows bugtraq, and a lot of others do so too. In
squirrelmail's case, one of the upstream security guys is co-maintainer
of the Debian package. If you take the effort to look at the bug page,
you'll notice that we were well aware, and working on it.

> Or will there be other measures in place to see that security issues are
> noticed quickly for all packages- even for strange tools that
> are not used by normal unix-centered developers?

Noticed doesn't mean that people immediately go out of their way to
create an update the same day, we're still a volunteer organisation,
and bear in mind that not all issues are equally severe.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

References:
- Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
  - From: Herwig Wittmann <herwig-amazon@atnet.at>

Prev by Date: Versions of shared libraries
Next by Date: Security updates fro non-US
Previous by thread: Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Next by thread: Light weight IDSes and then some
Index(es):
- Date
- Thread