Re: Workflow for handling security issues in testing

To: debian-release@lists.debian.org, debian-security@lists.debian.org, Jonathan Nieder <jrnieder@gmail.com>
Subject: Re: Workflow for handling security issues in testing
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 2 Jun 2018 13:00:37 +0300
Message-id: <[🔎] 20180602100037.GC17315@localhost>
In-reply-to: <[🔎] 4de2570a-985b-78a8-6ad0-3690ee26b838@debian.org>
References: <20180530160340.GA50693@aiede.svl.corp.google.com> <32ac4d52-ad7a-442a-0381-c4137a52c59a@thykier.net> <[🔎] 20180601053627.GC111965@aiede.svl.corp.google.com> <[🔎] 20180601191756.GA17315@localhost> <[🔎] 4de2570a-985b-78a8-6ad0-3690ee26b838@debian.org>

On Sat, Jun 02, 2018 at 11:00:20AM +0200, Philipp Kern wrote:
> On 6/1/18 9:17 PM, Adrian Bunk wrote:
> > On Thu, May 31, 2018 at 10:36:27PM -0700, Jonathan Nieder wrote:
> >> ...
> >> I don't think most users of testing realize that
> >> they also need to include stable-backports in sources.list to get
> >> security fixes.
> >> ...
> > 
> > No, this wouldn't get them all security fixes.
> > 
> > It would only make a difference when the package with the security 
> > fix is backported at all *and* the backport is done before the 
> > package migrated to testing.
> 
> Which is unfortunately against the rules of backports, as well. Packages
> are supposed to enter testing before they are backported.

There is an excemption for security fixes, in this case it is actually 
permitted to upload to backports before testing migration.

But note that in the pretty common case that maintainer and backporter 
are different people the security fix might reach backports much later
than testing.

> [...]
> > testing (and even unstable) often get security fixes after stable,
> > and we should be honest about the fact that the security-supported 
> > part of Debian is a subset of stable[1] without backports.
> 
> I still wonder if there's some way we can make this better for testing
> users without resorting to a fatalistic attitude, though. ;-)
> 
> In theory we know which unstable uploads contain security fixes because
> the security tracker says so. That'd allow us to flag them and
> potentially give them a higher priority to migrate. But it still doesn't
> help when manual work is required because they are stuck behind a
> transition.

Or stuck behind a FTBFS, which is the reason why Chromium in testing is 
half a year and 100 CVEs behind Chromium in stable-security.

"can make this better for testing users" is a dangerous way forward
since nothing low-effort would actually provide security support for
testing, and this should be clearly communicated.

And any "solution" regarding transitions wouldn't solve the problem 
that there is no security support for unstable.

There is nothing that would make security support for testing impossible,
but for that there would have to be (again) a separate security team for
testing that works on security support every day.

> Kind regards
> Philipp Kern

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

References:
- Re: Workflow for handling security issues in testing
  - From: Jonathan Nieder <jrnieder@gmail.com>
- Re: Workflow for handling security issues in testing
  - From: Adrian Bunk <bunk@debian.org>
- Re: Workflow for handling security issues in testing
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Workflow for handling security issues in testing
Next by Date: Upcoming oldstable point release (8.11)
Previous by thread: Re: Workflow for handling security issues in testing
Next by thread: Re: Workflow for handling security issues in testing
Index(es):
- Date
- Thread