[Secure-testing-team] Re: [Secure-testing-commits] t-s bits from DebConf5

Joey Hess joeyh at debian.org
Sat Jul 23 13:38:48 UTC 2005 

Moritz Muehlenhoff wrote:
> [Joey, I guess you meant to send this to -team? I'm Cc'ing to it now]

Must have been more jetlagged than I thought to send it to the commits
list instead of here.

> >  - Ubuntu's security guy, Martin Pitt, was also there, and we also
> >    discussed ways to work with Ubuntu. He does more or less the same
> >    kind of work we do for tracking vulnerabilities, although he tries to
> >    automate the tracking of closed vulns via grepping changelogs with
> >    his script, as has been discussed here before. No firm conclusions
> >    were reached, and some kind of cooperation should be followed up on.
> 
> This works for Ubuntu, as all USN and their relative changelog entries
> are issued by a single person, but might trigger to many false positives
> for sid with it's plethora of maintainers. I'd recommend to leave this
> with manual tracking.

Actually I think he greps all changelogs of all package changes, the
majority of which come direct from Debian. Anyway, I'd not want to use
this to automatically mark stuff fixed, but to use it to generate a list
of things to check would save some time.

> >  - People did not like the CAN-XXX-XXXX entries during the talk, and
> >    were also nonplussed by entries like "dpkg (unfixed)" that didn't
> >    have a bug number at the time (dpkg maintainer was in the audience
> >    and this was the first he'd heard of the zlib hole affecting dpkg). I
> >    hope we can do better at getting bugs filed quickly; this is an
> >    especial problem if one team member adds a CAN-XXX-XXXX with an
> >    unfixed item and no bug number as it can be hard to figure out what
> >    they're referring to then. 
> 
> Well, if there's a CAN-2005-XXXX with "unfixed" and no bug this means
> that I'd been to busy to file a report on it, but where I know that
> Debian is affected. That's still better than hiding that there's a
> problem. And for most issues googling for upstream's website should
> bring up the necessary information.

If you can at least add a note with an url, that would help, then
someone else could take care of the bug filing.

> >  - Matt Zimmerman gave us some pointers on communicating with Mitre to
> >    get CAN numbers. He offered to forward things along to them (he's mdz
> >    at debian.org) and get CANs. Also, he's introduced us to Steven
> >    Christey at Mitre.
> 
> That's good to hear.
> 
> >    Not sure if Steven's email address is publicly
> >    available
> 
> Steven M. Christey <coley at linus.mitre.org>  ?

Yes and you can see the first crop of new CANs in the db now.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050723/5aa104e9/attachment.pgp

More information about the Secure-testing-team mailing list