[Secure-testing-team] DTSA announcements

Micah Anderson micah at riseup.net
Sun Sep 2 19:35:05 UTC 2007 

First of all, thanks a lot Steffan, this is great!

* Thijs Kinkhorst <thijs at debian.org> [070902 01:13]:
> On Sun, September 2, 2007 04:40, Steffen Joeris wrote:
> >> For removed packages, there is the problem that (AFAIK) the release
> >> team sometimes removes packages temporarily to ease transitions. This
> >> could be confusing for the users. Should the information about removed
> >> packages be included?
> > If the package is removed from testing, it does not mean that the user
> > removes it from their installation, therefore the issue is not fixed.
> > Because of
> > that, I would not include this information.
>
> If we leave the information out entirely, they are not prompted and may
> just keep on waiting for a security fix (or are ignorant about the problem
> entirely).

Correct me if I am wrong here, but this script is not meant to replace
debsecan, which is used to keep the user/admin updated about the
security situation on their box. This script, and its output, is to help
raise the profile of the security testing team's work by filling in the
giant gap in people's understanding about what our team accomplishes.

Previously people only understood the Secure-Testing team's work by
looking at what DTSAs were published over the year and concluding
incorrectly that we have done very little over the year. Its
understandable how people could come to this conclusion because there is
no clear profile of all the issues that have been fixed in the testing
distribution and the number of DTSAs is actually quite small because
many of the issues that we can fix we can do without needing to issue a
DTSA. This metric for measuring our productivity is a false one, based
on the correct one that can be used to measure the stable security
team's work. The difference between the two is great however as many
issues are fixed through mechanisms other than DTSAs, such as through NMUs, 
migrations, bugs filed, maintainers poked and buildd manangers prodded.

Its my understanding that this script's output is to help change that
metric, fill that gap and make it clearer the work that is being done by
everyone here!

Micah

More information about the Secure-testing-team mailing list