[Secure-testing-team] debconf9

Steffen Joeris steffen.joeris at skolelinux.de
Mon Jul 27 02:05:35 UTC 2009 

On Mon, 27 Jul 2009 05:21:29 am Stefan Fritsch wrote:
> >> Since I haven't been involved recently, nor was it my idea to organize
> >> this BoF, I also dont have particular agenda items in mind. So, topics
> >> for an agenda?
> >
> > I have a few points in mind which may be nice to discuss:
> > - more members for testing-security, how do we get new
> >   people in? I think we have becoming pretty good in
> >   maintaing the tracker recently but we really lack of
> >   people who also fix bugs and write patches
> > - testing migration, almost no one cares about testing
> >   migration at the moment which is one of the reasons we
> >   don't have security support for testing at the moment
> > - testing security support, what needs to be done and how
> >   can we solve the current problems.
> > - Debian as a CNA, while we can assign CVE ids the current
> >   workflow is far from perfect, we have large delays
> >   sometimes getting CVE ids and I think binding this to one
> >   person is a rather bad idea.
>
> - how to push for enabling more hardening compile options in
>   squeeze
> - moving infrastructure to the new KVM instance (currently the
>   testing-security infrastructure is spread over three non
>   debian.org hosts)
> - tracking of packages that got into testing/unstable from
>   proposed upgrades (and how to detect if the maintainer uploads
>   a vulnerable version again)
Although I am not at debconf9, I'd have one point, which could be discussed, 
where I am not sure how to address it:

- Discuss on how to make it clear again that (old)stable needs to be supported 
by developers. It is no issue to admit that backporting is hard or there are 
other issues with the code, but every developer should be able to help testing 
their packages on (old)stable. It happens too often that we have to test some 
random services we've never used and then we might miss a crucial testing 
scenario.
-- My input: Maybe add something to the devref and prepare a mail to d-d-a@ ?


Also, is there a chance that the BoF will be recorded? I'd be interested in 
seeing the video. Live stream could be too hard I guess :(

Thanks to everyone for spending your holidays on security work. ;)

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090727/05f095d3/attachment-0001.pgp>

More information about the Secure-testing-team mailing list