[cut-team] Some experience with security support for testing

Nico Golde nico at ngolde.de
Tue Aug 31 16:49:08 UTC 2010


Hi,
* Joey Hess <joeyh at debian.org> [2010-08-31 18:21]:
[...] 
> Stefan Fritsch wrote:
> > Somewhere during Lenny's release cycle, all members of the testing 
> > security team became also members of the stable security team. After 
> > Lenny's release, there was more motivation to work on stable security, 
> > and there were not many uploads to testing-security anymore. As you 
> > may have noticed, there is more than enough work for stable.
> 
> So, I knew this happened, but I still don't fully understand *why* it
> happened.

From my point of view there are multiple reasons. One is the lack of manpower 
and the importance of stable. At the time of lenny we were mostly 3 active 
people who did all the work and sadly this situation didn't improve over time 
despite asking several times for help. Since I joined the stable security team
I tried to balance my work between stable and testing a bit (note that I'm not 
really active at the moment in both due to writing on my thesis) and so did 
Steffen but now there is a clear lack of manpower. Additionally to this 
embargoed security information has always been a problem. Traditionally the 
testing-security team has no access to this kind of information while it's 
imho a crucial component in keeping testing secure. We tried to work against 
that a bit by starting team at testing-security.debian.net and put a few selected 
people on this list but the activity on this alias has always been close to 
zero. Sadly coordination between stable and testing security team never worked 
at this point which is mostly so because the workflow and practices in the 
stable team are very chaotic and not uniform among the members imho.

Another important problem is the view of maintainers towards testing. Most of 
them don't monitor their packages for proper testing migration so getting 
those packages to migrate and track was a huge additional workload that wasn't 
even related to security.
I can only speak for myself but before the lenny release I've been working 
several hours a day to make this happen and since lenny was released the 
number of significant new contributors to this is not very high. To be honest 
I don't know why and I have no idea how this could get promoted any better.

[...] 
> Does that all sound about right? If so, assuming that CUT actually happens,
> it suggests that the existance of some testing-based thing with the 
> project behind it and user interest, could in turn lead to renewed
> interest in providing security support for testing, both from within and
> without the current security team.

Yes this sounds right to me. The most important thing to change this imho 
would be to get all members of the stable security team to work with the 
security-tracker (it's important for them anyway) and thus share the workload 
with the testing-security team, motivate DDs to care about migration and
find a way to motivate some fresh blood.

I have a hard time explaining the possible reasons from my side and I think
there are quite some points which contributed to this problem but I hope this 
input is helpful (even though I also have to say it's imho not as bad as this 
may sound, the most important problem is a manpower one).

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/cut-team/attachments/20100831/b9c1577c/attachment.pgp>


More information about the cut-team mailing list