[Secure-testing-team] [webkit-security] need help triaging deluge of webkit-related security issues

Michael S Gilbert michael.s.gilbert at gmail.com
Mon Aug 31 02:43:29 UTC 2009


On Fri, 21 Aug 2009 14:44:45 -0700 Aaron Sigel wrote:
> I'd like to nominate debian to join the webkit-security list, but I'd  
> also like it if the addresses / people I nominated were @debian.org.
> 
> Who should I nominate?  Names + email address would be appreciated.
> 
> Aaron
> 
> On Aug 9, 2009, at 10:00 PM, Michael S Gilbert wrote:
> 
> > hello,
> >
> > i sent the following mail a few weeks ago, and have not heard anything
> > yet.  security of your downstream vendors is of utmost importance for
> > webkit to gain traction as a trustable browser engine.
> >
> > if downstreams are not going to be able to get sufficient access to
> > security information, users will start to notice and will stick with
> > more trustable products that have "mature" security practices, like
> > mozilla.
> >
> > is there any way that you could provide this info to debian?  you
> > don't even have to go through me.  you can contact their private list
> > if you so desire: team at security.debian.org; although that should not
> > be necessary since all of these issues are already public.
> >
> > mike
> >
> > On Sun, Jul 19, 2009 at 8:42 PM, Michael S Gilbert wrote:
> >> hello,
> >>
> >> the debian project (and likely other webkit downstreams) are in  
> >> desparate need
> >> of assistance triaging the deluge of 30+ webkit security bugs that  
> >> came through
> >> apple recently [1].  the problem, of course, is that the apple  
> >> announcements
> >> are effectively useless since there is no information about patches  
> >> and bug
> >> reports for the problems.  hence, it makes it very difficult to  
> >> determine which
> >> webkit versions are affected; and also to find the patches needed  
> >> to address
> >> the problems.
> >>
> >> if you can help me track down the patches/bug reports, that would be
> >> great.  thank
> >> you for any assistance you can provide.

i haven't seen anyone respond to this for a couple weeks, so i'll chime
in to get the ball rolling.  Florian Wiemer (fw at debian dot org),
Nico Golde (nion at debian dot org), Thijs Kinkhorst (thijs at
debian dot org ), and Moritz Muehlenhoff (jmm at debian dot org) are the
big names in debian security. Florian, in particular, deals with most of
the vendor-sec issues. hopefully one or more of them would be
interested in participating on the webkit security team/list.

mike



More information about the Secure-testing-team mailing list