Re: [SECURITY] [DSA 1294-1] New xfree86 packages fix several vulnerabilities
- To: Josip Rodin <joy@entuzijast.net>
- Cc: debian-sparc@lists.debian.org, team@security.debian.org, ajt@debian.org, bcollins@debian.org, jbailey@debian.org, rmurray@debian.org, troup@debian.org
- Subject: Re: [SECURITY] [DSA 1294-1] New xfree86 packages fix several vulnerabilities
- From: Steve Langasek <vorlon@debian.org>
- Date: Thu, 17 May 2007 19:08:30 -0700
- Message-id: <[🔎] 20070518020830.GA14851@dario.dodds.net>
- Mail-followup-to: Steve Langasek <vorlon@debian.org>, Josip Rodin <joy@entuzijast.net>, debian-sparc@lists.debian.org, team@security.debian.org, ajt@debian.org, bcollins@debian.org, jbailey@debian.org, rmurray@debian.org, troup@debian.org
- In-reply-to: <[🔎] 20070517223950.GA2531@keid.carnet.hr>
- References: <20070517212202.GA3464@galadriel.inutil.org> <[🔎] 20070517223950.GA2531@keid.carnet.hr>
On Fri, May 18, 2007 at 12:39:50AM +0200, Josip Rodin wrote:
> On Thu, May 17, 2007 at 11:22:02PM +0200, Moritz Muehlenhoff wrote:
> > Debian Security Advisory DSA 1294-1 security@debian.org
> > This update lacks builds for the Sparc architecture, due to problems on
> > the build host. Packages will be released once this problem has been
> > resolved.
> I am repeating my request to donate and host a sparc machine for Debian.
> (Details are in my previous mails to debian-sparc, but I will repeat if
> someone forgot or can't find.) It's been ready and waiting for a few weeks.
> At the same time, vore.d.o is long dead, spontini.d.o is in lockdown,
> auric.d.o is operational but restricted, and schulz.d.o has been in state
> 'setup' for weeks. http://buildd.debian.org/stats/graph2-week-big.png
> indicates some fluctuation, with a recent downturn for sparc buildds.
> I'm Cc:ing the security team and members of the wb-sparc group on Debian
> machines.
> What else needs to happen to get something done about this?
Well, I'm only cc'ed on this because I have access to manipulate the buildd
queues, but I would note that the reason sparc is late for this update is
that auric has gone out to la-la land (hasn't been seen by w-b since May 3).
So I imagine that setting up a new buildd from scratch is less of a priority
right now than trying to get back the one that we already had configured.
Anyway, as far as getting something done, I would suggest opening an RT
ticket and documenting in that ticket:
- hardware details of the hosting offer
- bandwidth availability
- any network security policies that may affect DSA access, or the purpose
to which the machine can be put
- local admin availability / expertise
- *long-term outlook* for the hosting offer (e.g., "I'm a senior exec
with $org and have complete autonomy to decide to host this"; or "I've
been with $org for $x years and have no plans to leave in the next $y
years, and this hosting offer will be valid as long as I'm here"; or
"Debian has 90% mindshare within $org and is enthusiastic about supporting
the Debian Sparc port because we use it for $foo"; vs. "yeah, we've got a
box we're not using and we don't need the rack space /yet/, so can you
guys use it for the next month or two?")
If DSA has to go fishing for these details, chances are good that they
/won't/ do so, because there are always fires going on that will take
priority. OTOH, if you present all of the salient information up front and
the hosting offer stands on its own, it will be a lot easier for DSA to
evaluate it compared with other hosting offers (and current hosting) and it
should be a bit easier to get a yay/nay on whether DSA thinks it's a machine
the project needs...
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: