[Secure-testing-team] what else needs a DTSA right now?

Moritz Muehlenhoff jmm at inutil.org
Tue Aug 30 16:10:43 UTC 2005 

Joey Hess wrote:
> > > Can anyone suggest any more good candidates for DTSAs in the list of
> > > unfixed holes in testing? I've been trying to cover all the remote
> > > exploits and bad local exploits and aside from updating the kernel and
> > 
> > I want to have a deeper look at this. Horms has some stuff pending
> > he hasn't had the time to backport yet and some CVE assignments are
> > pending, but preparing updated recent 2.6.8 and 2.4.27 packages
> > for etch seems like a good idea (as they are security/major fix only
> > anyway), until linux-2.6 has made it into testing.
> 
> The big problem with this is that it cannot be autobuilt since etch
> still has all the different kernel source packages.

Yes, but plenty of porters in debian-kernel were building the kernels
Horms prepared for Sarge, so they might be willing to do the same for
Etch as well.
 
> One nice opportunity we have though, is to let developers do uploads and
> testing, so I do encourage that.

We should create a boilerplate text for direct inclusion in bug reports,
so this won't be missed.
 
> > BTW2, in cases where the maintainer has uploaded fixed packages,
> > we should add them to the DTSA: to prevent ill-feelings/mischief and
> > also as a direct indicator who's to blame if something goes wrong ;-)
> 
> Heh, sure, any idea where to list them?

No concrete idea, above the "Upgrade Instructions", maybe?
 
> > >  - zlib: too young in unstable, would rather not add new upstreams of
> > >    core libs to the repo until we know what can go wrong
> > 
> > The DSAs contain patches against 1.2.2, so they'd be good alternatives.
> > 
> > OTOH, I can't remember any major code changes, when I reviewed the changes
> > while preparing the fix for UCS; it was mostly portability fixes and
> > changes for contrib compression algos.
> 
> Would you like to do a DTSA for it?

Generally, yes. But I have to prepare some work for my thesis colloquium on
Thursday, so if anyone has free time before that, go ahead.

Cheers,
        Moritz

More information about the Secure-testing-team mailing list