[Secure-testing-team] Mini-meeting at DebConf - minutes
Moritz Muehlenhoff
jmm at inutil.org
Wed Jun 27 21:35:25 UTC 2007
Florian Maier wrote:
> my name is Florian Maier and i' m the responsible security guy for the
> City of Munich's "LiMux" distribution, which is based on Debian Sarge
> with lots of backports and will be migrated to Debian Etch this autumn.
>
Things like checking CVE's on a regular basis are already a part of my
> daytime job and of course i'm motivated because i want to give back
> something to Debian, the distribution without which everything in Munich
> would be different.
There are two things of special interest to Debian:
- Verify the Sarge status of vulnerabilities:
http://idssi.enyo.de/tracker/status/release/oldstable?hide_nodsa=1
They are derived from the unstable data and should be checked/verified
if really all of these apply to Sarge. (e.g. sometimes older versions
don't include vulnerable code)
- In the short/mid-term I'm planning to work on a better QA process with more
external participants. There's a delay of up to a couple of days between
the time, when a package is initially built and the release of the fixed
package. Large installations like Munich could receive the packages prior
to release and provide testing/QA feedback in return. So, participating
in this would be very much appreciated once the infrastructure is in place.
(This would be limited to publicly known vulnerabilities, which is > 80%)
Cheers,
Moritz
More information about the Secure-testing-team
mailing list