[Secure-testing-team] Keeping us busy in Oldenburg
Florian Weimer
fw at deneb.enyo.de
Tue Sep 20 14:41:00 UTC 2005
* Moritz Muehlenhoff:
> - The developer's reference entry wrt handling security bugs should
> be updated/extended, it's currently too terse and lacks important
> information.
One big problem is that it gives developers the impression that *all*
security fixes should be sent privately to the security team, and not
the BTS, even if the issue is already publicly known.
> - The tracking page should be generated for sid as well, it seems to me
> that security bugs in packages not in testing are currently vanishing
> from our radar.
<http://idssi.enyo.de/tracker/status/release/unstable>
It should be pretty accurate, perhaps more than the corresponding page
for testing.
> - There has been an offer by a company for their proprietary solution of
> doing static analysis on binaries. There were some organisational hurdles
> IIRC, should we come back to them?
Was it BugScan by chance? They are gone.
> - Packages, which have been removed from testing by the RMs due to security
> bugs should be handled separately, they might get lost from our radar,
This can be dealt with with tsck, but you need server-side support for
that. (Not too hard to implement based on the database, especially if
the release tags I suggested are added to the list files.)
More information about the Secure-testing-team
mailing list