[Secure-testing-team] Security update for Debian Testing

Stefan Fritsch sf at sfritsch.de
Tue Sep 11 20:02:08 UTC 2007 

Hi,

On Tue, 11 Sep 2007, Steffen Joeris wrote:
> I would just add a short comment here:
>
> In case the package got removed, we encourage the admin to remove
> the package as well or take other measures.

This blurb is automatically added if there is a package that is 
removed:

The following issues have been "fixed" by removing the (source) 
packages from testing. This probably means that you have to manually 
uninstall the corresponding binary packages to fix the issues. It can 
also mean that the packages have been replaced, or that they have 
been temporarily removed by the release team to make transitions from 
unstable easier.


>> 	deb http://security.debian.org lenny/updates main contrib non-free
>
> I would also add the normal line for ftp.debian.org here (maybe
> without contrib and non-free). This again makes sure that the people
> have both in and get the packages fixes from migration.

I will add a note (people will have to use their own mirrors anyway).


> I was talking to nion last night and we were unsure about the 
> following. The DTSA announcements always included some nice 
> additional information and I would guess that sysadmins appreciate 
> these information in the announcement. Therefore, we were wondering, 
> if we should continue sending out DTSA announcements for uploads to 
> testing-security, in addition to this mail. Of course, if there are 
> strong objections, we will leave it out.

The problem is that DTSA announcements give the impression that the 
uploads to testing-security are more important than the fixes that 
are migrating from unstable. But this is misleading. For example, the 
krb5 fixes were very important but came via unstable. Therefore I am 
against different types of announcements.

On Tue, 11 Sep 2007, Nico Golde wrote:
> Not only the description is a nice-to-have but also the
> Subject line of the mail gets a big attention and stripping
> the useful information out there like which package is
> affected doesn't look like a good idea while these summary
> mails are indead useful. Is there any way to automate DTSA
> announcements? That would be really great since there is so
> much you need to look at that could be made wrong but
> generating the mail out of an .adv file shouldn't be a big
> deal. Do I miss something?

Of course the old announcements contained more information. But this 
had to be added by hand (in the .adv file) and is not available for 
all issues. If there was some publicly available source for short CVE 
summaries, I would include them.

But putting the list of packages in the subject would probably be 
posible (at least if there are only a few fixes).

Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070911/419da678/attachment.pgp

More information about the Secure-testing-team mailing list