[Secure-testing-team] Mini-meeting at DebConf - minutes
Moritz Muehlenhoff
jmm at inutil.org
Mon Jul 2 18:57:54 UTC 2007
On Fri, Jun 29, 2007 at 12:01:15AM +0200, Florian Maier wrote:
> Moritz Muehlenhoff wrote:
> > There are two things of special interest to Debian:
> >
> > - Verify the Sarge status of vulnerabilities:
> > http://idssi.enyo.de/tracker/status/release/oldstable?hide_nodsa=1
> >
> > They are derived from the unstable data and should be checked/verified
> > if really all of these apply to Sarge. (e.g. sometimes older versions
> > don't include vulnerable code)
1)
> > - In the short/mid-term I'm planning to work on a better QA process with more
> > external participants. There's a delay of up to a couple of days between
> > the time, when a package is initially built and the release of the fixed
> > package. Large installations like Munich could receive the packages prior
> > to release and provide testing/QA feedback in return. So, participating
> > in this would be very much appreciated once the infrastructure is in place.
> > (This would be limited to publicly known vulnerabilities, which is > 80%)
2)
> Sounds good. Although we do only use a small subset of the sarge
> repositories, i can definitely do this. A collaboration would be very
> worthwile for all parties involved!
>
> Is there already a certain timeframe you are thinking of?
You can start with 1) right-away, 2) will need some infrastructure improvements,
which will likely take a couple months.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list