[Secure-testing-team] Security update for fuse
Micah Anderson
micah at debian.org
Wed Jun 8 03:39:41 UTC 2005
On Mon, 06 Jun 2005, Joey Hess wrote:
> Micah Anderson wrote:
> > Additionally, should testing-security provide security notices (such
> > as DSA's)? If so, how would this work?
>
> I believe that we should do this, but have been waiting for the release
> of sarge for it, since I'm not sure if we can do something to get the
> testing-security (and/or testing-proposed-updates) queues to remain
> functional after sarge is released, to get packages built against etch.
It seems as if testing-security has been renamed to stable-security,
so this queue is out. Also, from what I understand britney hasn't been
reenabled yet for etch, and since the release is so recent, this is
probably not people's highest priority. Maybe I'm a sarge
party-pooper, but I would rather not find out a month from now that
these queues were destroyed because nobody thought they were useful to
keep around anymore, but from what I've been able to find out -- there
simply aren't any.
> If those queues do function that way, then we should be able to do full
> DTSAs for all architectures using them. If not, we will still be subject
> to other issues that block security fixes from testing, or will have to
> set up our own queues and autobuilder network (or piggyback on the
> experimental autobuild network). Doable, but kinda a pain.
Since it seems like not, we are stuck in the harder spot and need to
pick one of these solutions it seems. Unless there is something else
that can be done to try and get one of those queues functional.
I've seen some documentation out there about how to setup an
autobuilder, and I feel that I could set one up on my home machine if
necessary, however an i386 box is probably not what is really needed
in an autobuilder network, especially one with very little space
available. However, I have seen a number of people who have expressed
interest in getting into the buildd network and cant for some reason,
these are often the experimental autobuilder folks. Leveraging this
might make sense, although are there security issues that should be
taken into consideration in picking autobuilders?
> There's also the issue of whether we can get upload access to
> security.debian.org, and of who can actually upload packages and sign
> and email the DTSA messages (probably only the official DD's on the
> team).
I wonder if it makes sense to have a conversation with the security
team about merging efforts/resources?
micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050607/a9177857/attachment.pgp
More information about the Secure-testing-team
mailing list