Re: Gaps in security coverage?
On Tue, Nov 06 2018, Paul Wise wrote:
> On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote:
>> Hi folks,
> FTR, in case you were trying to contact the Debian Security Team
> directly I suggest using email@example.com or
> firstname.lastname@example.org instead, debian-security is more of a general
> security discussion list than a Debian Security Team list.
Thanks - I did intend it to go here, understanding that difference; I
had no particular reason to make it more private.
[ snips ]
> Personally, I think running debsecan, looking at each item, pinging
> bug reports and maintainers, doing stable updates and unstable NMUs,
> pushing patches upstream etc would be a great help.
That is good advice, thanks. I've been a DD for a long while, but it's
been awhile (years) since I've been involved in the security process and
wasn't quite sure what the flow was anymore.
> Also, debsecan itself could use a lot of help, the maintenance of it
> and addition of new features currently falls on already-busy security
> team folks.
> In addition some more automation of ingestion of security info into
> the security tracker would free up security team time that is
> currently spent on manually updating the security-tracker data.
What kind of automated sources are you talking about here? Where do I
find the source that might be relevant? I might be able to pitch in