[Secure-testing-team] Security updates for Etch?
Micah Anderson
micah at debian.org
Tue Jun 14 16:45:30 UTC 2005
On Tue, 07 Jun 2005, Vesa Savolainen wrote:
> The Debian website tells that there are no security updates available
> for testing and users are confused about the state of security
> auditing for testing. Now that Sarge has been released, I think it
> would be a good time for the testing security team to make some kind
> of a public announcement about how security updates will be managed
> in Etch. Also the Debian website should be informed about this.
I agree actually. What do people think about sending another update to
debian-devel-announce, and debian-security with a status update of our
work, and where we are going? Additionally, updating any relevant
websites (what website was being referred to in saying "... the Debian
website should be informed about this"?)
If I may be presumptous, I drafted the following, it needs some pieces
filled in (such as statistics):
Now that Sarge has released, the testing-security team is shifting
gears from our pre-release activities to our post-release work. What
follows is a report on our activities thus far, and our future plans.
Testing-Security Accomplishments pre-Sarge
------------------------------------------
Testing-security performed a massive security review of *all* CAN and
CVE entries announced since the release of woody, performed a scan of
every DSA since woody's release and checked all DSAs to see if fixes
for those security holes had reached testing. This process uncomvered
a few security holes that hadn't been fixed in testing for a year or
more, although these were exceptions.
We setup an automatic SVN repository updater of the CAN list, bringing
in fresh CANs/CVEs from Mitre. This allowed us to become alert of
CANs/CVEs that were released as soon as possible so that we could
check them. We also setup a webpage that is automatically updated
based on the status of this SVN repository.
Statistics
. how many items we have processed
. how many affected Debian at some point
. how many are unfixed in etch now
. how many we have remaining to do
Etching our way towards Testing-Security
----------------------------------------
Now that Sarge has released the testing-security team is shifting
gears from keeping the security pressure on for the release towards
building out our infrastructure to provide more security support for
testing. The team has worked hard to get Sarge secure, and we now have
a testing distribution with no old security holes in it.
Now we'd like to start providing regular security updates for testing.
This means develop a DTSA (Debian Testing Security Advisories) procedure
and begin performing proper DTSAs for all architectures, releasing GPG
signed advisories to a mailing list and website. Our goal
would be to provide timely security updates for testing, making fixes
available no more than four days after a DSA is released.
Develop ways to work with the official security team to streamline
security problems that come through testing into stable.
Work with maintainers to include security fixes from unstable that do
not have DSAs.
Continue maintaining a public database and statistics about the
current state of security in testing.
....
Thoughts?
micah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050614/888dcb01/attachment.pgp
More information about the Secure-testing-team
mailing list