Re: Bad press again...

To: debian-security@lists.debian.org
Subject: Re: Bad press again...
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 28 Aug 2005 11:54:25 +0200
Message-id: <[🔎] 87k6i6jsj2.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20050827204036.GA18848@cirrus.madduck.net> (martin f. krafft's message of "Sat, 27 Aug 2005 22:40:36 +0200")
References: <[🔎] Pine.LNX.3.96.1050825141607.14907B-100000@Maggie.Linux-Consulting.com> <[🔎] 430F34B6.1070606@rz-zw.fh-kl.de> <[🔎] 20050826153626.GA865@piper.madduck.net> <[🔎] 20050826163904.GA8094@k6.in-berlin.de> <[🔎] 873bovychi.fsf@mid.deneb.enyo.de> <[🔎] 20050827204036.GA18848@cirrus.madduck.net>

* martin f. krafft:

>> I don't think so.  Joey seems to be satisfied with this situation,
>
> How would you know?

Joey doesn't ignore all mail, only some of it.

> That's because complaints don't actually have any result, so I, for
> instance, have stopped. I've pointed to severe problems with Debian
> stable security

We have problems, sure, but to me, it seems that these mainly come
from the impression that the real package maintainers think security
work has special trust requirements and is restricted to the security
team.

Or are there many packages with backported security patches, ready for
upload, and the security team does not act on them?  I don't think so.
Instead, I frequently encountered maintainers who eagerly closed
security bugs even though they were still unfixed in oldstable or even
stable. [*]

The main shortcoming in the area of the security team is lack of
documentation of bug fixing policies.  Obviously, we don't have full
security support in place for packages that have long abandoned by
upstream for some classes of bugs (BIND 8, for example) or have
principal issues which can't be fixed reliably at reasonable cost
(PHP).  This must be communicated to our users, and this seems to be a
difficult thing to do in the current situation.

> I don't think Joey found it necessary just a single time to
> articulate a position on the issue of e.g. the three week outage in
> the security team throughout June.
>
> The final announcement that was sent was not authored by Joey, but
> by other DDs who were similarly concerned.

I wouldn't read too much into that.  To some extent, the security team
is just a client of Debian's infrastructure.  The lack of transparency
makes it very hard to analyze failures and put blame on certain
individuals or groups of people.

> Now we've had another issue of problems with s.d.o, but we had to
> learn about them from Heise.

Maybe that's because it was a non-issue which didn't affect anyone? 8-)


[*] In the past, this was a side effect of how package uploads
interact with the BTS.  Perhaps version tracking has improved this?

Reply to:

Follow-Ups:
- Re: Bad press again...
  - From: martin f krafft <madduck@debian.org>

References:
- Re: Bad press again...
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: Bad press again...
  - From: Timo Veith <tv@rz-zw.fh-kl.de>
- Re: Bad press again...
  - From: martin f krafft <madduck@debian.org>
- Re: Bad press again...
  - From: "W. Borgert" <debacle@debian.org>
- Re: Bad press again...
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Bad press again...
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Bad press again...
Next by Date: Re: Bad press again...
Previous by thread: Re: Bad press again...
Next by thread: Re: Bad press again...
Index(es):
- Date
- Thread