Debconf5: Securing the Testing Distribution

Posted Jul 21, 2005 14:11 UTC (Thu) by syntaxis (guest, #18897) [Link]

Joey Hess covered this in his Debconf talk: http://dc5video.debian.net/2005-07-12/08-Securing_the_Tes.... Obviously the best thing would be for you to download and watch it yourself, getting the information straight from the horse's mouth, but here's my attempt at a summary based on my impressions:

He reckons that using the testing-proposed-updates infrastructure would be the ideal solution (assuming it would have access to autobuilders, etc) but it's currently within the purview of the official *Stable* security team, of which he is not a member. Due to the Stable security team being a member of vendor-sec (i.e. having to keep fixes secret and embargoed until a mutually-agreed-upon date of public disclosure) they might have concerns about allowing outsiders the necessary access to security.debian.org, and perhaps they'd be worried about the additional load on their autobuild network possibly delaying updates to Stable. I guess they'd also have to work out exactly how the two teams would interoperate when Testing is next frozen (at which point the official Stable security team has historically begun to support it, uploading their own fixes to t-p-u).

In the short term, Joey proposes the Testing security team setting up its own repository (complete with its own autobuilders) focusing initially on x86 and perhaps a few of the other major architectures and expanding from there. It would be just another entry in people's sources.list.