next steps (Was Re: [Secure-testing-team] Security update for fuse)

Micah Anderson micah at riseup.net
Thu Jun 16 02:43:44 UTC 2005 

On Wed, 15 Jun 2005, Joey Hess wrote:

> > I'd suggest to start an experimental service for i386 for now, if it works
> > out it can be extended.
> 
> Works for me. I'm araid that Neuro is probably going to have to
> prioritise getting the security system working again for stable over us,
> since that is apparently not working at all right now. Sigh.
> 
> Anyway, an experimental apt repo for this is easy enough to set up. I
> wonder where we should mail the announcements? We might also want to do
> announcements for holes that get fixed in testing via regular testing
> propigation.

I've updated the announcement email with the statistics and additional
information (find it below for review). However, I am wondering if we
should wait to send this out until we have this repository and a place
to mail the announcements, so we can communicate those?

Here is the updated announcement:

. Secure-Testing Accomplishments
. Statistics
. Etching our way towards testing security

Now that Sarge has released, the testing-security team is shifting
gears from our pre-release activities to our post-release work. What
follows is a report on our activities thus far, and our future plans.

Secure-Testing Accomplishments pre-Sarge
------------------------------------------

Testing-security performed a massive security review of *all* CAN and
CVE entries announced since the release of woody, performed a scan of
every DSA since woody's release and checked all DSAs to see if fixes
for those security holes had reached testing. This process uncomvered
a few security holes that hadn't been fixed in testing for a year or
more, although these were exceptions.

We setup an automatic SVN repository updater of the CAN list, bringing
in fresh CANs/CVEs from Mitre. This allowed us to become alert of
CANs/CVEs that were released as soon as possible so that we could
check them. We also setup a webpage that is automatically updated
based on the status of this SVN repository.

Statistics
----------

   . As of a few days ago we have processed a total of 6,536 items
   . Out of these, 1,226 items affected Debian at some point
	(in 498 distinct packages and taking 918 package uploads to fix)
   . Currently there are 56 unfixed in etch now
   . and 44 items left that we have to process


Etching our way towards testing security
----------------------------------------

Now that Sarge has released the testing-security team is shifting
gears from keeping the security pressure on for the release towards
building out our infrastructure to provide more security support for
testing. The team has worked hard to get Sarge secure, and we now have
a testing distribution with no old security holes in it.

We are beginning to move towards developing the procedures necessary
to start providing regular security updates for testing.  This means
developing a DTSA (Debian Testing Security Advisory) procedure and
start releasing these as GPG signed advisories. Also provide timely
package updates for security issues in testing. Our goal would be no
more than four days after a DSA is released.

Initially we will start experimental service for i386, extending it as
we go. We are lowering the bar for architecture synchronicty, due to
the volitile nature of testing.

We hope we can obtain security infrastructure for testing, either by
obtaining the testing-security (and/or testing-proposed-updates)
queues to get packages built against etch. However, if we cannot
procure this resource we will have to set up our own queues and
autobuilder network (or possibly piggyback on the experimental
autobuild network). Stay tuned for more information.

Additionally our team continues to maintain the[1] public database and
statistics about the current state of security in testing. We are
developing ways to make this listing more granular so that higher
priority items are distinct from less urgent minor and obscure issues.
We are also looking to provide to MITRE information about
vulnerabilities that we track that have not received a CVE assignment
(currently we have 55).


1. http://newraff.debian.org/~joeyh/testing-security.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050615/8204ad77/attachment.pgp

More information about the Secure-testing-team mailing list