[Secure-testing-team] Oldenburg 1st meeting summary

[Micah Anderson]

What follows is a summary of the first testing-security meeting held at
Oldenburg September 22, 2005 with joeyh, micah, jmm, lamont in
attendance:

. Discussed stable security and Brandon's arrival and what
  testing-security can offer to help with stable-security issues

	. transparency of stable security - tracking tools
	. stable is primarily responsible for embargoed issues

. Discussed vendor-sec criteria and if it made sense for
testing-security people to try and obtain it. The general 
consensus was that the majority of the issues we deal with are already 
public or get fixed in such a short time that we do not need to have
access to embargoed issues.

. Discussed each person's work-flow to get an idea of what lists/websites
each of us monitor and ways that we identify problems/fixes. Getting these
things documented would help identify what is missing and what new people
can help with.

  . watching for holes:
	watch/scan bugs that are tagged in the BTS
	lists: bugraq, bug-dists, debian-devel-changes (should filebugs, tag security), full disclosure, lkml
	"exploit tree" as potentially useful if we could manage to track it
  . checking for the existence of packages affected by issues:
	search for ITP
	check for previous advisory
	check packages.debian
	apt-cache search	
  . couple times a week, open each bug on testing-security page tabs and check to see if they are closed

NOTE: if a CVE advisory says fixed in version 1.5 and later, you should not trust this and see
if it is vulnerable in versions prior if they are in debian


. We talked about some of the issues on Mortiz' email, and identified some interesting things to work on:

   tsck:
	make it just svn update the secure-testing list, but not the html page, or smaller subset
	adapt it to the new syntactical changes to the list (urgencies etc.)
	
   user-tags: 
	use testing-security, mark as reviewed, also mark bugs that have a CVE id with that ID

   retroactive list clensing:
	go through CAN/list to retroactively add not-affected to issues that do not have it
	perhaps add more tags that fw has created

   documentation issues:

	overview of developer's reference changes (micah is working on making these changes)
	
   DTSA criteria:
	we only identified that we should figure this out

	agreeing on severity levels and embedded source/removed packages so it can be documented
	workflow overview

   Others:
	We didn't get through the whole list, but will at later meetings
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050923/3fab8476/attachment.pgp