secure testing announce - May 2006 - [SECURITY] Testing security archive move

---------------------------------------------------------------------------
Debian Testing Security Team                                 May 12th, 2006
secure-testing-team@lists.alioth.debian.org
http://secure-testing-master.debian.net/
---------------------------------------------------------------------------

Testing security archive move

The Debian testing security team is pleased to announce the integration of
the secure testing archive to http://security.debian.org

We invite Debian users who are currently running testing, or who would like
to switch to testing, to subscribe to the secure-testing-announce mailing 
list, which will be used to announce security updates.
<http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce>

We also invite you to add the following lines to your apt sources.list file,
and run "apt-get update && apt-get upgrade" to make the
security updates
available.

deb http://security.debian.org etch/updates main contrib non-free
deb-src http://security.debian.org etch/updates main contrib non-free

This replaces the previous http://secure-testing.debian.net/ lines which should
no longer be used. There will be a transition period where packages are
uploaded to both, but you should now use the http://security.debian.org lines.

Note that while all of Debian''s architectures are supported, we may
release
an advisory before fixed packages have built for all supported
architectures. If so, the missing builds will become available as they
complete.

Debian developers who would like to upload fixes for security holes in
testing to the repository can do so, following the instructions on our web
site. 

Finally, we are still in the process of working out how best to serve users
of testing and keep your systems secure, and we welcome comments and
feedback about ways to do better. You can reach the testing security team
at secure-testing-team@lists.alioth.debian.org.

For more information about the testing security team, see our web site.
<http://secure-testing-master.debian.net/>.


-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-announce/attachments/20060513/992ce1ec/attachment.pgp

On Sat, 13 May 2006 03:49:36 +0100 Neil McGovern wrote:

[...]
> Testing security archive move
[...]

Thanks!
Your job is really appreciated.
> We also invite you to add the following lines to your apt sources.list
> file, and run "apt-get update && apt-get upgrade" to make
the security
> updates available.
> 
> deb http://security.debian.org etch/updates main contrib non-free
> deb-src http://security.debian.org etch/updates main contrib non-free
Would

deb http://security.debian.org testing/updates main contrib non-free
deb-src http://security.debian.org testing/updates main contrib non-free

work as well?

I mean: some people like to have "etch" in their sources.list, so that
they will go on using etch even when it becomes a stable release.
Some other people prefer having "testing" in their sources.list, so
that
they always track testing, even during the codename switch that happens
when a new stable is released.

[...]
> Finally, we are still in the process of working out how best to serve
> users of testing and keep your systems secure, and we welcome comments
> and feedback about ways to do better. You can reach the testing
> security team at secure-testing-team@lists.alioth.debian.org.
IIUC, the infrastructure for securing Debian testing has been set up and
works properly.
My impression is that more people should be involved in the testing
security team (I mean: more people as smart and fine as those who are
currently involved).
This way, keeping up with the rate of new vulnerabilities (that are
discovered or enter testing) could become a little easier.

In the meanwhile, I think it would be nice to have a graph of
vulnerabilities in testing versus time (something somewhat similar to
http://bugs.debian.org/release-critical/).

http://spohr.debian.org/~joeyh/testing-security.html
is my primary source of information about the security of testing.

I created a little script to keep such a graph updated.
It''s still unpublished, but I can send it to you (under the Expat
a.k.a.
MIT license) accompanied by the data that I collected (about once a day)
since 11 september 2005, if you''re interested.
The gzipped tar archive is less than 6 kbyte long: may I send it as an
attachment to the e-mail address I''m currently writing to?

HTH.


P.S.:
please Cc: me on replies, thanks.

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060513/420cd3a4/attachment.pgp

Neil McGovern wrote:
> deb http://security.debian.org etch/updates main contrib non-free
> deb-src http://security.debian.org etch/updates main contrib non-free
>   
Errrmmmm... apt-get says:

Failed to fetch http://security.debian.org/dists/etch/updates/Release  
Unable to find expected entry  main/binary-amd64/Packages in Meta-index 
file (malformed Release file?)


And, indeed, despite appearing in Architectures, there is no 
binary-amd64 in the release file.

On Sat, May 13, 2006 at 12:53:10PM +0200, Francesco Poli
wrote:
> is my primary source of information about the security of testing.
> 
> I created a little script to keep such a graph updated.
> It''s still unpublished, but I can send it to you (under the Expat
a.k.a.
> MIT license) accompanied by the data that I collected (about once a day)
> since 11 september 2005, if you''re interested.
> The gzipped tar archive is less than 6 kbyte long: may I send it as an
> attachment to the e-mail address I''m currently writing to?
I would be interested in having that, if you don''t mind :-)

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060515/566df840/attachment.pgp

Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060515/3494d5b6/attachment.pgp

On Mon, 15 May 2006 23:00:57 +0200 Francesco Poli wrote:
> On Mon, 15 May 2006 10:16:15 +0200 Javier Fern?ndez-Sanguino Pe?a
> wrote:
> 
> > On Sat, May 13, 2006 at 12:53:10PM +0200, Francesco Poli wrote:
> > > is my primary source of information about the security of
testing.
> > > 
> > > I created a little script to keep such a graph updated.
> > > It''s still unpublished, but I can send it to you (under
the Expat
> > > a.k.a. MIT license) accompanied by the data that I collected
> > > (about once a day) since 11 september 2005, if you''re
interested.
> > > The gzipped tar archive is less than 6 kbyte long: may I send it
> > > as an attachment to the e-mail address I''m currently
writing to?
> > 
> > I would be interested in having that, if you don''t mind :-)
> 
> Thanks for your interest in my little creature...  ;-)
> Here it is!
[...]

Did the list correctly receive my attachment?
Web archives seem to indicate that it was dropped:
http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-May/000767.html

I can re-send the script personally to anyone who''s interested, if
needed...

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060521/056fc9c3/attachment.pgp

On Sunday 21 May 2006 01:05, Francesco Poli wrote:
> Did the list correctly receive my attachment?
> Web archives seem to indicate that it was dropped:
> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-M
>ay/000767.html
>
> I can re-send the script personally to anyone who''s interested, if
> needed...
I received it ok, so it''s probably only a problem with the list 
archive.

Didn''t have time to look at it yet, though.

Cheers,
Stefan

Anthony DeRobertis wrote:
> Errrmmmm... apt-get says:
>
> Failed to fetch http://security.debian.org/dists/etch/updates/Release  
> Unable to find expected entry  main/binary-amd64/Packages in 
> Meta-index file (malformed Release file?)
>
>
> And, indeed, despite appearing in Architectures, there is no 
> binary-amd64 in the release file.
>
>
And indeed, it''s still that way.... anyone know what''s going
on?

Anthony DeRobertis <anthony@derobert.net> writes:
> Anthony DeRobertis wrote:
>> Errrmmmm... apt-get says:
>>
>> Failed to fetch
>> http://security.debian.org/dists/etch/updates/Release  Unable to
>> find expected entry  main/binary-amd64/Packages in Meta-index file
>> (malformed Release file?)
>>
>>
>> And, indeed, despite appearing in Architectures, there is no
>> binary-amd64 in the release file.
>>
>>
> And indeed, it''s still that way.... anyone know what''s
going on?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369185

No reaction yet.

MfG
        Goswin

On Thu, 15 Jun 2006 09:59:12 -0400 Micah Anderson wrote:

[...]
> Francesco Poli wrote:
> >>http://spohr.debian.org/~joeyh/testing-security.html
> >>is my primary source of information about the security of testing.
> 
> You might want to have a look at http://idssi.enyo.de/tracker for a
> more robust interface to this information.
Thanks for the suggestion.
I knew about it, but I haven''t yet found enough time to dig into it and
understand it better...

It seems to report a fairly large amount of information.
It also seems to track vulnerabilities in stable, which is very useful!

On the other hand, other interesting pieces of information that are
included in http://spohr.debian.org/~joeyh/testing-security.html seem to
be missing in http://idssi.enyo.de/tracker, unfortunately.
For instance, direct links to BTS bug reports and direct links to
unstable->testing migration status pages (that is to say, to
http://bjorn.haxx.se/debian/ pages).
Another feature that could be handy is a final summary with number of
vulnerabilities in the various categories (for testing: unfixed, fixed
in unstable, fixed in testing-security-update).

Well, at the end of the day, why are these two pages distinct and
separate?
Wouldn''t it be more useful and more practical if
http://spohr.debian.org/~joeyh/testing-security.html and
http://idssi.enyo.de/tracker were merged in one single coherent tracking
system?
> 
> >> Thanks for your interest in my little creature...  ;-)
> >> Here it is!
> > [...]
> 
> Do you have a URL to the graphs?
Well, no, that''s why I sent the script to the mailing list!  ;-)

I hope that someone can review it and possibly adopt it as an
"official"
graph-generating tool for summarizing
http://spohr.debian.org/~joeyh/testing-security.html ...

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060615/52d884f3/attachment.pgp

On Thu, 15 Jun 2006 23:28:56 +0200 Francesco Poli wrote:

[ about http://idssi.enyo.de/tracker ]
> It seems to report a fairly large amount of information.
> It also seems to track vulnerabilities in stable, which is very
> useful!
I did a little trivial counting of vulnerabilities (as tracked by
[1][2][3]) and here''s the results, as of today:

[1] http://idssi.enyo.de/tracker/status/release/unstable
[2] http://idssi.enyo.de/tracker/status/release/testing
[3] http://idssi.enyo.de/tracker/status/release/stable


                       unstable   testing    stable
----------------------------------------------------
 low                       96        99       160
 medium                    61        63       105
 high                      15        28        30
 unclassified              34        59        66
----------------------------------------------------
 both in testing & unstable         177
 fixed in unstable                   72
----------------------------------------------------
 total                    206       249       361
----------------------------------------------------
 fixed in testing-security            1
----------------------------------------------------


If I read these data correctly, it seems that testing could be said to
be currently more secure than stable!
And unstable seems to be even more secure...

Is my count correct?
Are my conclusions correct?
Is there anything that I miss?
What do you think?

-- 
    :-(   This Universe is buggy! Where''s the Creator''s BTS?  
;-)
......................................................................
  Francesco Poli                             GnuPG Key ID = DD6DFCF4
 Key fingerprint = C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060619/7460c324/attachment.pgp