[Secure-testing-team] Security updates for Etch?

Tue Jun 14 17:23:35 UTC 2005

Micah Anderson wrote:
> I agree actually. What do people think about sending another update to
> debian-devel-announce, and debian-security with a status update of our
> work, and where we are going? Additionally, updating any relevant
> websites (what website was being referred to in saying "... the Debian
> website should be informed about this"?)

Announce is a good idea.

I assume he meant www.debian.org which AFAIK does not link to us at all.

> Now that Sarge has released, the testing-security team is shifting
> gears from our pre-release activities to our post-release work. What
> follows is a report on our activities thus far, and our future plans.
> 
> Testing-Security Accomplishments pre-Sarge
> ------------------------------------------
> 
> Testing-security performed a massive security review of *all* CAN and
> CVE entries announced since the release of woody, performed a scan of
> every DSA since woody's release and checked all DSAs to see if fixes
> for those security holes had reached testing. This process uncomvered
> a few security holes that hadn't been fixed in testing for a year or
> more, although these were exceptions.
> 
> We setup an automatic SVN repository updater of the CAN list, bringing
> in fresh CANs/CVEs from Mitre. This allowed us to become alert of
> CANs/CVEs that were released as soon as possible so that we could
> check them. We also setup a webpage that is automatically updated
> based on the status of this SVN repository.
> 
> Statistics 
> 		   . how many items we have processed
6536 (as of a few days ago)
> 		   . how many affected Debian at some point
1226; affecting 498 distinct packages and taking 918 package uploads to
fix.
>  		   . how many are unfixed in etch now
currently 56 per web site
> 		   . how many we have remaining to do
currently 44 TODO lines

> Etching our way towards Testing-Security 
> ----------------------------------------

Me shudders even harder at the pun since "edge" seems to be the 100%
most popular typo for "etch".

> Now that Sarge has released the testing-security team is shifting
> gears from keeping the security pressure on for the release towards
> building out our infrastructure to provide more security support for
> testing. The team has worked hard to get Sarge secure, and we now have
> a testing distribution with no old security holes in it.
> 
> Now we'd like to start providing regular security updates for testing.
> This means develop a DTSA (Debian Testing Security Advisories) procedure
> and begin performing proper DTSAs for all architectures, releasing GPG
> signed advisories to a mailing list and website. Our goal
> would be to provide timely security updates for testing, making fixes
> available no more than four days after a DSA is released.

Would be good if this could give some concrete details, or at least our
current preferred way to do it and contingency plan if getting an upload
queue and security.debian.org space doesn't work out.

> Develop ways to work with the official security team to streamline
> security problems that come through testing into stable.
> 
> Work with maintainers to include security fixes from unstable that do
> not have DSAs.
> 
> Continue maintaining a public database and statistics about the
> current state of security in testing.

These are good points but need some expansion.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050614/46f260f7/attachment.pgp