LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Bits from the Security Team

[Posted March 12, 2008 by ris]

From:  Moritz Muehlenhoff <jmm-AT-debian.org>
To:  debian-devel-announce-AT-lists.debian.org
Subject:  Bits from the Security Team
Date:  Sun, 9 Mar 2008 23:05:11 +0100
Message-ID:  <20080309220511.GA3834@galadriel.inutil.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Use of RT
=========

The Security Team is now using Request Tracker to coordinate work 
and our RT processes have already been refined a lot.
If you're a package maintainer working towards a security update,
you're now encouraged to open a ticket directly. You will be kept in
CC during the life time of the ticket. If you're opening a ticket for
a security problem, which is not yet publicly known, e.g. if you've
discovered it by yourself or if you have been contacted by upstream,
please open a ticket in the "Security - Private" queue. These
issues will only be visible by the Security Team.

If you're opening a ticket for a security problem which is publicly
known, e.g. if it's announced on the project web site, please open a
ticket in the "Security" queue. These issues will be visible publicly.


Security Patch Test Program
===========================

We're planning to improve our quality assurance process for security
updates by providing a public security update beta test program in
addition to the existing QA done for security updates. 
During the preparation of security updates, there's an inherent delay
between the initial upload of the fixed packages and the time until
the packages have been built on porter machines. This time gap will be
used for a new security update beta program. The test program will be
targeted at large installations, which install security updates in a
test environment before installing them into the production
environment. This test group will be initially limited.


Public patch review
===================

To ease review of updates and increase transparency, a new mailing
list is planned, on which the diffs made for a security updates are
being posted. Anyone wishing to help implement this should contact
team@security.debian.org


Open issues for Lenny
======================

Some technical issues have been communicated to the release managers,
which affect the release of Lenny and the packages contained
within. Most of these will be handled through bug reports, some of them
are already filed, so you should be aware of them already if you
maintain such a package.

As an example some legacy libs will be phased out to reduce the
security maintenance overhead (e.g. Gnome 1.x packages).

If there's anything you'd like to bring to our attention, please
contact us at team@security.debian.org


Minor security fixes as part of a stable point update
======================================================

Some security issues are not severe enough to be fixed through a Debian
Security Advisory. Some of them might still be fixed through the regular
point updates, where they cause less work for the administrator installing
the updates. Nico Golde <nion@debian.org> is coordinating these updates
and can assist the respective maintainer in the necessary procedures.


Looking for new Security Team Members
=====================================

We've recently extended our ranks by Thijs and Florian and we're looking
for up to two more people to broaden our basis further. The basic
requirements are:

* You need to have experience with security work before. Please outline
  what you've done in the past, both within and without Debian.

* You must have time to kill. You'll need to be able to dedicate
  a chunk of time each week to this task, and be able to keep
  up with what's going on on a close to daily basis.
  Also, please tell us, in which time zone you live and during
  which times you'll typically be able to communicate with the
  rest of us.

* Diligence is the key.

* You need to be an experienced programmer, both in understanding
  existing code and in creating / backporting patches.
  You don't need to be able to understand every language in our
  archive (which is impossible), but tell us about your existing
  skill set.

* You need to be familiar with how the wide variety Debian packages
  are maintained, patched and built. If you're not scared by
  packages generating their patch series by applying sed statements
  from cdbs include files before passing the patches through an
  awk filter to quilt until they're finally built with yada, you
  might be the right person.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH1F6oXm3vHE4uyloRAqIMAJ4740p2hIVZCjrXRYbXu4stYln+6wCePl4R
PUwZYf02EMKkV1ewXQ2Idc4=
=l0/0
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-devel-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.