[Secure-testing-team] discussing things in NOTE's
Nico Golde
debian-secure-testing+ml at ngolde.de
Thu May 21 09:47:28 UTC 2009
Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-05-21 10:23]:
> On Wed, 20 May 2009 18:43:15 +0200, Thijs Kinkhorst wrote:
[...]
> > Taking the 'no-dsa' issue: either there's going to be a DSA, or there's not
> > going to be a DSA. That fact can be debated just fine on our mailinglists or
> > in a relevant bug. Those means provide much better overviews and space for
> > who thinks what, to respond to arguments etc. In the end there has to be a
> > conclusion, we do either this or that. That conclusion/decision will be
> > documented in the tracker.
>
> ok, i agree with this philosophy in intent. however, in practice i
> see some problems:
>
> 1. if discussion happens in the relevant bug, then the security team
> will not automatically be made aware of that discussion (solution
> would be to forward all discussion on bugs marked security to
> secure-testing-team list).
I see no problem with that in practice, the security team
gets Cced on all security bugs and it's our job to keep
track of the important ones then and follow the bug reports.
Besides that there are people like me following
debian-bugs-dist.
> 2. if discussion happens on the security mailing list, the maintainer
> will not be aware, and there is no link to the discussion from the
> tracker for posterity.
Also rather a workflow problem than a technical one. If
people forget to Cc the relevant people, change that.
> > > note that
> > > dissenting opinions in US Supreme Court decisions are just as important
> >
> > I cannot envision any security issue that would be comparable to a supreme
> > court case, nor can I even begin to think that we are operating even remotely
> > like a "supreme court".
>
> just making a light-hearted analogy of the importance of giving everyone
> a voice and the importance of recording that voice for future posterity
> (specifically for anyone who does research using the tracker).
You have a voice ;)
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090521/40262945/attachment.pgp>
More information about the Secure-testing-team
mailing list