[Secure-testing-team] Re: [Secure-testing-commits] t-s bits from DebConf5

Fri Jul 22 23:54:11 UTC 2005

[Joey, I guess you meant to send this to -team? I'm Cc'ing to it now]

On Tue, Jul 19, 2005 at 10:39:33AM -0400, Joey Hess wrote:
> Summary of DebConf5 from the point of view of this team:
> 
>  - One idea that came up was using this team as the foundation for a
>    "public" security team, and keeping this separate from the vendor-sec
>    stuff handled well enough by the stable team. I pointed out that I
>    couldn't speak for the team about whether we were interested in
>    tracking/dealing with stable security holes (and that I'm not so much
>    interested in it myself).

As already mentioned on debian-security some time ago I think that's
a great idea and I'd be willing to help.

>  - Ubuntu's security guy, Martin Pitt, was also there, and we also
>    discussed ways to work with Ubuntu. He does more or less the same
>    kind of work we do for tracking vulnerabilities, although he tries to
>    automate the tracking of closed vulns via grepping changelogs with
>    his script, as has been discussed here before. No firm conclusions
>    were reached, and some kind of cooperation should be followed up on.

This works for Ubuntu, as all USN and their relative changelog entries
are issued by a single person, but might trigger to many false positives
for sid with it's plethora of maintainers. I'd recommend to leave this
with manual tracking.

>  - People did not like the CAN-XXX-XXXX entries during the talk, and
>    were also nonplussed by entries like "dpkg (unfixed)" that didn't
>    have a bug number at the time (dpkg maintainer was in the audience
>    and this was the first he'd heard of the zlib hole affecting dpkg). I
>    hope we can do better at getting bugs filed quickly; this is an
>    especial problem if one team member adds a CAN-XXX-XXXX with an
>    unfixed item and no bug number as it can be hard to figure out what
>    they're referring to then. 

Well, if there's a CAN-2005-XXXX with "unfixed" and no bug this means
that I'd been to busy to file a report on it, but where I know that
Debian is affected. That's still better than hiding that there's a
problem. And for most issues googling for upstream's website should
bring up the necessary information.

>  - Matt Zimmerman gave us some pointers on communicating with Mitre to
>    get CAN numbers. He offered to forward things along to them (he's mdz
>    at debian.org) and get CANs. Also, he's introduced us to Steven
>    Christey at Mitre.

That's good to hear.

>    Not sure if Steven's email address is publicly
>    available

Steven M. Christey <coley at linus.mitre.org>  ?

>  - We've gained a new team member, Martin Zobel-Helas. zobel already
>    tracks and deals with security holes for the packages in the volatile
>    archive.
> 
>  - zobel and Andreas Barth currently run Debian's experimental/volatile
>    autobuilding network and they've volenteered to use that network for
>    autobuilding testing security updates on all arches and providing a
>    repo for them. We're still working out the details and setting things
>    up.

Great.

Cheers,
        Moritz