Bug#436161: debtags: New tags for security support

Enrico Zini enrico at enricozini.org
Tue Aug 21 09:42:58 UTC 2007 

On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote:

> Please add support for the following tags, as discussed during
> DebConf in Edinburgh:
> 
> * [etch|lenny]-security-unsupported to flag that a source package has no
>   support by the Security Team. It should be distribution-specific to
>   allow revoking support for individual suites, as it was necessary for
>   Mozilla in Sarge.
> * security-local-use-only (or something similar, I'm unsure about the exact
>   naming), to indicate that security support only applies to local, trusted users.
>   An example: SQL-Ledger has a horrible security track record, so we only
>   support to run it behind an authenticated HTTP zone. It's still a useful
>   software and limiting support is a viable choice; doing accounting carries
>   a whole lot of implicit trust anyway.

Hi Moritz, thanks for opening this bug.  I'm totally in favour of this.

This seems to be the right place to also paste the other notes that I
took during the BOF at DebConf:

 - low-popularity packages can delegate security to the maintainers
 - support-level tags
    - Auto-generated tags
       - orphaned
       - MIA maintainer
       - old RC bugs
    - Team-generated tags
       - security team won't support
          - possibly, suite-specific no-security-support tags
       - suited for local use only
         (web-based double entry accunt system)
         (usable in the local network, but don't export on internet)
    - DD-introduced tags in control file
       - self-declared fringe package
       - self-declared dead-upstream
       - self-declared dead-upstream but DD will fix bugs
    - What else?
       - brainstorm personal best practices/metrics for choosing packages
       - package depends on orphaned packages
       - development status (alpha, beta, production, ...)
       - "I don't use this package anymore" (could be computed by
         scanning RFA bugs)


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/debtags-devel/attachments/20070821/ff7d6faa/attachment.pgp

More information about the Debtags-devel mailing list