[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...

* Petter Reinholdtsen:

> The count of open security issues in stable and oldstable is probably
> a better measuring meter, and it does not look too good.

Security support is a task for Debian as a whole, not just the
security team.  IMHO, the main role of the security team is
information sharing, risk assessment, and quality assurance for
security updates.  The team should act as a trusted point of contact,
forward information from external sources to the relevant developers
(in many cases this is possible, even if the information is considered
sensitive), and respond to security-related questions, both from
inside the project and external entities.  The team should have the
final say in what can go into the archive as a security update, after
it has weighed the security threat against the general risk of any
change to the stable distribution.  It's also necessary for the team
to review all security updates, to deal with the Single Point of
Ownership problem.  Even if all Debian developers are trustworthy,
some of their machines might be compromised, or they simply make

The security has access to the privileged information which might be
helpful while preparing security updates, true, but in most cases,
after the issue has been disclosed to some extent (because upstream
has issued an update, for example), their head start is gone.
Nevertheless, there seems a general tendency among Debian developers
that security updates for stable are the job of the security team.  In
my eyes, this is the root of the problem.  The security team shouldn't
spend their time on package maintenance, that's what maintainers are

Reply to: