[Secure-testing-team] "Improving Security in Debian" Paper for Debconf5

[Javier Fernández-Sanguino Peña]

Hi guys,

Even though I'm not yet sure if I'll be able to attend, I have submitted a 
paper to Debconf5 related to security work at Debian. Oriented towards 
helping maintainers keep their packages in shape (security-speaking), 
showing some data of how the security team and the security-audit team are 
working out and suggesting things that should be improved.

It would be great if other members of the Security Team and the Debian 
Security Team could contribute to the paper and help with the conference
(again, I'm not sure if I will attend)

I believe that having a paper outline the current status of security 
support in Debian and what things need to be improved both in the Debian 
operating system and the project to improve it would be a big eye-opener to 
some of the issues the Security Team is having. Also, providing (in a 
workshop) some basic knowledge so that maintainers can security-audit their 
packages would save a lot of issues in the long term.

This is the abstract I have proposed:

-------------------------------------------------------------------------

Improving Debian Security
-------------------------
¿How can we improve the security of the Debian distribution to improve it 
both to protect the Debian project and our end users?

This presentation will try to analyse what are the major concerns related 
to the security in the Debian operating system, including the current trend 
of vulnerabilities and time to fix (an update of the one presented in 
Debconf3), a look on the work conducted by the Debian Security and Security 
Audit teams and what steps can maintainers, release managers and end-users 
take in order to help keep the distribution secure. The analysis will 
include a brief presentation of the impact of several security-enhancing 
technologies (SElinux, PaX, SPP..) on the distribution and what needs to be 
changed in order to provide these for end users.

The presentation will also try to feed some discussion including proposals 
related to the overall management of software quality (and how this affects 
the security of the released distribution) as well as to what additional 
work can be conducted in order for the project to provide a distibution 
with an enterprise-level of security that could be, at some point, Common 
Criteria certified for government use.

-------------------------------------------------------------------------

Does anyone want to help out with this?

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050304/29fb07c3/attachment.pgp