[Secure-testing-team] resolving hard TODOs

Micah Anderson micah at riseup.net
Fri Mar 4 00:39:52 UTC 2005 

On Wed, 02 Mar 2005, Joey Hess wrote:

> Micah Anderson wrote:
> a> Here is the email that I prepared to ask for help, please review to
> > see if there are things missing, should be taken out, or changed. I
> > tried to make it fun so people would read it, but maybe it crosses a
> > line I am not aware of.
> > 
> > I was thinking of sending this to debian-devel, but perhaps it should
> > also be sent to debian-security.
> 
> I had been thinking about posting some kind of "bits from the testing
> security" team message (to -devel-announce), and I think you kinda just
> wrote that message.

In writing this, I just sort of did a mashup of the alioth page, and a
couple emails that you'd sent out in order to get a quick overview of
what I was talking about so people would understand what we were
asking for. Because of this, I don't feel like it is all that new of
information, except for the queries for help, so I am not so sure it
fits for giving an update to our progress... but then again I am not
sure what you had in mind. 

If you want to just modify what I sent out and make a "bits from the
testing security team" message, by all means do so, I have no ego
involved with this message, so it can be cut up, changed, modified or
sent as someone else, whatever may be appropriate.


> > I also need to figure out if people should send their suggestions to
> > secure-testing-team at lists.alioth.debian.org, or should the discussion
> > happen organically on the lists and then we can just collate any stray
> > information from there?
> 
> If it goes to -devel-announce, then -devel is probably the natural place
> for followups. Asking people to post to a list they don't read can be
> prolimatic.

I agree.

> > 3. What packages modify JPEG images (CAN-2005-0406)[7]?
> 
> Might be better to limit this to which ones do not modify the EXIF
> thumbnail. Otherwise it invites many reduandant emails of "imagemagick
> and the gimp".
> 
> Hmm, if we could make a jpeg with an interesting and unique EXIF
> thumbnail, it would be easy for people to test this in many apps. I
> don't know how to do that however..

Yeah, I have no clue about this either... I was hoping that if
replies/follow-ups were sent to debian-devel then people would/should
read other people's responses before they contributed their "gimp"
message. I assume that we'll have a certain amount of cruft to cut
away, but having extra is much better than having none, which we have
now.

> > Glad you asked! Any Debian developers with an interest in
> > participating are welcome to join the team, and we also welcome others
> > who have the skills and desire to help us. The team can be contacted
> > through its mailing list[12]. There is a second mailing
> > list[13] that receives commit messages to our repository. An alioth
> > project page[1] is also available. Have a read of this message[14] if
> > you are interested in participating, the details are there about how
> > to start helping check CANs on a regular basis.
> 
> Might also link to http://secure-testing.alioth.debian.org/ ?

The first link reference was just that: 

"An alioth project page[1] is also available..."

[1] http://secure-testing.alioth.debian.org/

More information about the Secure-testing-team mailing list