Re: [SECURITY] [DSA 3547-1] imagemagick security update

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3547-1] imagemagick security update
From: Peter Palfrader <weasel@debian.org>
Date: Tue, 12 Apr 2016 19:47:53 +0000
Message-id: <[🔎] 20160412194753.GI26457@sarek.noreply.org>
Mail-followup-to: Peter Palfrader <weasel@debian.org>, Henrique de Moraes Holschuh <hmh@debian.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 1460488760.3438213.576707145.5A43E989@webmail.messagingengine.com>
References: <E1aphGE-00013G-F0@seger.debian.org> <[🔎] 570CDA55.5010200@iinet.net.au> <[🔎] 2095627.V5bhYdRjE7@box> <[🔎] 570D0957.9030400@iinet.net.au> <[🔎] 492b72a4f9f047e86c833cdfe1cc9f1d@mail.adam-barratt.org.uk> <[🔎] 2b2dffb144ef90ca9581ba678442f970@mail.adam-barratt.org.uk> <[🔎] 1460482213.3411255.576644529.194FD780@webmail.messagingengine.com> <[🔎] 20160412173222.GH26457@sarek.noreply.org> <[🔎] 1460488760.3438213.576707145.5A43E989@webmail.messagingengine.com>

On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote:

> We list several mirrors carrying debian security updates in
> https://www.debian.org/mirror/list-full

I think we shouldn't.

> We don't disclose which mirrors are members of the security.debian.org

https://anonscm.debian.org/cgit/mirror/dsa-auto-dns.git/tree/zones/security.debian.org.zone

is the file that the security.d.o zone is generated from.

> Alternate access URIs for several of the security.debian.org pool
> members *do* exist, but that information seems not to be clearly
> displayed anywhere.

They do?  Anything we actually tell people to use?

> A good starting point would be to provide a list of official security
> mirrors (potential members of the security.debian.org pool) that can be
> accessed directly when geo-ip is directing an user to a pool member that
> is stale.

No.  We derotate mirrors regularly for maintenance work.  We don't want
users to pick their security.d.o mirror.

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Bjoern Nyjorden <brn@iinet.net.au>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Luciano Bello <luciano@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Bjoern Nyjorden <brn@iinet.net.au>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Peter Palfrader <weasel@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Next by Date: Call for testing: upcoming samba security update
Previous by thread: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Next by thread: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Index(es):
- Date
- Thread