[Secure-testing-team] Notes from Debconf 9 security BoF: July 29, 2009
Raphael Geissert
geissert at debian.org
Sat Sep 26 18:02:37 UTC 2009
Hi,
I didn't see this thread until now :-/
Micah Anderson wrote:
[...]
>
> Integrating security tracker information in the PTS, DEHS
> ----------------------------------------------------------
>
> The information needs to be exposed more... all the maintainers know
> about the security issues when they are actively contacted by
> somebody, it should be more proactive from the maintainers. Some
> possible ways to make sure the maintainers are a bit more aware of the
> issues could be integration with the PTS, generating a per maintainer
> report (like the DEHS: http://dehs.alioth.debian.org/)
The per maintainer view would be of more help for later integration with the
DDPO.
[...]
> TODO: nico will make sure fw will see this.
Update: a partial implementation has been put it place, but the list of
packages with unfixed issues is far from being perfect.
The current query is:
SELECT package FROM package_notes WHERE fixed_version IS NULL AND urgency <>
'unimportant' AND release NOT IN ('woody', 'sarge');
Suggestions as to how to, easily, get the list of *all* the open security
issues welcome.
At the moment the file that is being used by the PTS is generated from my
account at alioth. In the future, it would be better if this information is
generated and is available directly from the tracker.
> Enabling hardening options in squeeze
[...]
> TODO: raphael and jmm will work with lucas to begin the process of
> rebuilding the entire archive with these flags set, and then once we
> have packages available, we can ask for benchmarking info from
> developers.
Update: the rebuilt was done. There were many build failures that didn't
seem to be related to the build options, but those didn't show up on the
normal rebuild. Any other updates on this?
>
> Integrating security information into the DEHS
> ----------------------------------------------
s/DEHS/DDPO/ maybe?
>
> jmm: there are some nag mails about RC bugs, it might be worth sending
> a weekly mail if you have an open security bug, everyone has an open
> issue gets a mail, please get in touch with us, to get it fixed.
>
> nico: this was discussed in essen, but something was missing (*looks*)
>
> raph: wanted to mention that... once we start exporting the info for
> the PTS we can use the same info in the DPPO by mail.
>
I haven't sent any ddpo-by-mail email in a while but plan to do that soon,
including information regarding unfixed security issues.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Secure-testing-team
mailing list