Re: [SECURITY] [DSA 3547-1] imagemagick security update
> On 13/04/2016, at 18:50, Peter Palfrader <weasel@debian.org> wrote:
>
>> On Wed, 13 Apr 2016, Bjoern Nyjorden wrote:
>>
>> Given that this is not the first occurrence,
>
> I think it is, actually. As often is the case in the swiss-cheese
> model, here all the holes lined up and the update of this security
> mirror was delayed for about two days.
>
> We can identify at least four causal factors. Probably more, if we
> look a bit further.
> (1) The scripts Debian uses to mirror repositories treat the mirroring
> hierarchy as a tree. The failure of any node or link will cause
> the subtrey(s) under the failed component to not receive updates.
> (2) There is an ongoing network outage between where the australian
> mirror is and its upstream mirror in the US.
> (3) The scripts that automatically update the security rotation only
> check if a server is online and responds to http requests - it
> does not check if a mirror is current.
> (4) The nagios warning was missed in all the noise, and the relevant
> teams are overworked and busy.
With mention to the above. Specifically (4). Is there a mailing list / group / volunteer place for people interested in helping with network operations?
In $DayJob I work doing monitoring and management of networks and while my coding is still rough I think this would be a way I could contribute to helping Debian and I would be keen to.
As an aside I would also be keen to help on 1-3 as best as I could however I will need to work on my programming and getting to understand the existing code before I could usefully help with 1 or 4
Apologies if this is too off topic or if this is answered clearly elsewhere.
Regards
Alexander
Reply to: