Secure testing commits - Jul 2005 - t-s bits from DebConf5

Summary of DebConf5 from the point of view of this team:

 - I gave my talk about securing testing. Thanks to Micah who demoed
   working with CAN/list during the talk. The paper for the talk as well
   as my slides are in svn at
   <svn+ssh://joeyh@svn.debian.org/svn/secure-testing/doc/talks/debconf5>.
   A video of the talk is at
  
<http://dc5video.debian.net/2005-07-12/08-Securing_the_Testing_Distribution-Joey_Hess.mpeg>.

 - The talk spurred quite a bit of interest and several congratulations
   on getting this far, which I want to pass along to the whole team.
   I got the impression from some people, like Bdale, that they had been
   waiting for this for a long time and were really pleased to see it
   happen. I think there''s also a (valid) perception that
we''re doing a
   great job at comprohensively tracking vulnerabilities but not so good a
   job at actually fixing them, yet.

 - There was enough interest for a BOF session with 20 or 30 attendees
   after the talk. One of the things we discussed there was cooperating
   more closely with the stable seurity team. But the only member in
   attendance was Matt Zimmerman, who is currently sorta inactive.
   
 - One idea that came up was using this team as the foundation for a
   "public" security team, and keeping this separate from the
vendor-sec
   stuff handled well enough by the stable team. I pointed out that I
   couldn''t speak for the team about whether we were interested in
   tracking/dealing with stable security holes (and that I''m not so
much
   interested in it myself).

 - Ubuntu''s security guy, Martin Pitt, was also there, and we also
   discussed ways to work with Ubuntu. He does more or less the same
   kind of work we do for tracking vulnerabilities, although he tries to
   automate the tracking of closed vulns via grepping changelogs with
   his script, as has been discussed here before. No firm conclusions
   were reached, and some kind of cooperation should be followed up on.

 - People did not like the CAN-XXX-XXXX entries during the talk, and
   were also nonplussed by entries like "dpkg (unfixed)" that
didn''t
   have a bug number at the time (dpkg maintainer was in the audience
   and this was the first he''d heard of the zlib hole affecting dpkg).
I
   hope we can do better at getting bugs filed quickly; this is an
   especial problem if one team member adds a CAN-XXX-XXXX with an
   unfixed item and no bug number as it can be hard to figure out what
   they''re referring to then. 

 - Matt Zimmerman gave us some pointers on communicating with Mitre to
   get CAN numbers. He offered to forward things along to them (he''s
mdz
   at debian.org) and get CANs. Also, he''s introduced us to Steven
   Christey at Mitre. Not sure if Steven''s email address is publicly
   available so I won''t post it here but I can send it to any member of
   the team, and when you have a new, generally unknown (ie, just
   discovered by someone in debian, not on bugtraq) security hole you
   should be able to mail him and get CAN number assigned quickly. We
   can also use this to find/get CANs assigned for public holes that
   just seem to lack CANs, but that is a different process since they
   have to check for duplicates then; however mailing Steven should
   still work. 
   
   This info may not be perfectly accurate, it''s just what I recall
from
   what Matt said.

 - We''ve gained a new team member, Martin Zobel-Helas. zobel already
   tracks and deals with security holes for the packages in the volatile
   archive.

 - zobel and Andreas Barth currently run Debian''s experimental/volatile
   autobuilding network and they''ve volenteered to use that network for
   autobuilding testing security updates on all arches and providing a
   repo for them. We''re still working out the details and setting
things
   up.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20050719/26aa1c4a/attachment.pgp

On Sat, Jul 23, 2005 at 01:54:11AM +0200, Moritz Muehlenhoff
wrote:
> On Tue, Jul 19, 2005 at 10:39:33AM -0400, Joey Hess wrote:
> >  - Ubuntu''s security guy, Martin Pitt, was also there, and we
also
> >    discussed ways to work with Ubuntu. He does more or less the same
> >    kind of work we do for tracking vulnerabilities, although he tries
to
> >    automate the tracking of closed vulns via grepping changelogs with
> >    his script, as has been discussed here before. No firm conclusions
> >    were reached, and some kind of cooperation should be followed up
on.
> 
> This works for Ubuntu, as all USN and their relative changelog entries
> are issued by a single person, but might trigger to many false positives
> for sid with it''s plethora of maintainers. I''d recommend
to leave this
> with manual tracking.
This is actually used most often to see whether the Debian maintainer
already noted the fix, right Martin?
> >    Not sure if Steven''s email address is publicly
> >    available
> 
> Steven M. Christey <coley@linus.mitre.org>  ?
That''s him.

-- 
 - mdz

Moritz Muehlenhoff wrote:
> [Joey, I guess you meant to send this to -team? I''m
Cc''ing to it now]
Must have been more jetlagged than I thought to send it to the commits
list instead of here.
> >  - Ubuntu''s security guy, Martin Pitt, was also there, and we
also
> >    discussed ways to work with Ubuntu. He does more or less the same
> >    kind of work we do for tracking vulnerabilities, although he tries
to
> >    automate the tracking of closed vulns via grepping changelogs with
> >    his script, as has been discussed here before. No firm conclusions
> >    were reached, and some kind of cooperation should be followed up
on.
> 
> This works for Ubuntu, as all USN and their relative changelog entries
> are issued by a single person, but might trigger to many false positives
> for sid with it''s plethora of maintainers. I''d recommend
to leave this
> with manual tracking.
Actually I think he greps all changelogs of all package changes, the
majority of which come direct from Debian. Anyway, I''d not want to use
this to automatically mark stuff fixed, but to use it to generate a list
of things to check would save some time.
> >  - People did not like the CAN-XXX-XXXX entries during the talk, and
> >    were also nonplussed by entries like "dpkg (unfixed)"
that didn''t
> >    have a bug number at the time (dpkg maintainer was in the audience
> >    and this was the first he''d heard of the zlib hole
affecting dpkg). I
> >    hope we can do better at getting bugs filed quickly; this is an
> >    especial problem if one team member adds a CAN-XXX-XXXX with an
> >    unfixed item and no bug number as it can be hard to figure out what
> >    they''re referring to then. 
> 
> Well, if there''s a CAN-2005-XXXX with "unfixed" and no
bug this means
> that I''d been to busy to file a report on it, but where I know
that
> Debian is affected. That''s still better than hiding that
there''s a
> problem. And for most issues googling for upstream''s website
should
> bring up the necessary information.
If you can at least add a note with an url, that would help, then
someone else could take care of the bug filing.
> >  - Matt Zimmerman gave us some pointers on communicating with Mitre to
> >    get CAN numbers. He offered to forward things along to them
(he''s mdz
> >    at debian.org) and get CANs. Also, he''s introduced us to
Steven
> >    Christey at Mitre.
> 
> That''s good to hear.
> 
> >    Not sure if Steven''s email address is publicly
> >    available
> 
> Steven M. Christey <coley@linus.mitre.org>  ?
Yes and you can see the first crop of new CANs in the db now.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050723/5aa104e9/attachment.pgp

Hi!

Matt Zimmerman [2005-07-25 16:20 -0700]:
> On Sat, Jul 23, 2005 at 01:54:11AM +0200, Moritz Muehlenhoff wrote:
> > On Tue, Jul 19, 2005 at 10:39:33AM -0400, Joey Hess wrote:
> > >  - Ubuntu''s security guy, Martin Pitt, was also there,
and we also
> > >    discussed ways to work with Ubuntu. He does more or less the
same
> > >    kind of work we do for tracking vulnerabilities, although he
tries to
> > >    automate the tracking of closed vulns via grepping changelogs
with
> > >    his script, as has been discussed here before. No firm
conclusions
> > >    were reached, and some kind of cooperation should be followed
up on.
> > 
> > This works for Ubuntu, as all USN and their relative changelog entries
> > are issued by a single person, but might trigger to many false
positives
> > for sid with it''s plethora of maintainers. I''d
recommend to leave this
> > with manual tracking.
> 
> This is actually used most often to see whether the Debian maintainer
> already noted the fix, right Martin?
Matt, not sure what you mean by this, but if you mean "see if the fix
is applied in the unstable release", then yes.

changelog grepping generally works fine in my experience. Updates to
stable releases are generally done by only a handful of people who
know about CAN numbers, so grepping changelogs does not yield false
positives. The risk of getting those is of course present in the
unstable changelogs, but in practice it never happened to me to get a
false positive. And even if that happens, it doesn''t do so much harm
in the unstable release since it can be fixed easily.

Thanks,

Martin

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050726/46aa4ab4/attachment.pgp

[Joey, I guess you meant to send this to -team? I''m Cc''ing to
it now]

On Tue, Jul 19, 2005 at 10:39:33AM -0400, Joey Hess
wrote:
> Summary of DebConf5 from the point of view of this team:
> 
>  - One idea that came up was using this team as the foundation for a
>    "public" security team, and keeping this separate from the
vendor-sec
>    stuff handled well enough by the stable team. I pointed out that I
>    couldn''t speak for the team about whether we were interested in
>    tracking/dealing with stable security holes (and that I''m not
so much
>    interested in it myself).
As already mentioned on debian-security some time ago I think that''s
a great idea and I''d be willing to help.
 
>  - Ubuntu''s security guy, Martin Pitt, was also there, and we also
>    discussed ways to work with Ubuntu. He does more or less the same
>    kind of work we do for tracking vulnerabilities, although he tries to
>    automate the tracking of closed vulns via grepping changelogs with
>    his script, as has been discussed here before. No firm conclusions
>    were reached, and some kind of cooperation should be followed up on.
This works for Ubuntu, as all USN and their relative changelog entries
are issued by a single person, but might trigger to many false positives
for sid with it''s plethora of maintainers. I''d recommend to
leave this
with manual tracking.
 
>  - People did not like the CAN-XXX-XXXX entries during the talk, and
>    were also nonplussed by entries like "dpkg (unfixed)" that
didn''t
>    have a bug number at the time (dpkg maintainer was in the audience
>    and this was the first he''d heard of the zlib hole affecting
dpkg). I
>    hope we can do better at getting bugs filed quickly; this is an
>    especial problem if one team member adds a CAN-XXX-XXXX with an
>    unfixed item and no bug number as it can be hard to figure out what
>    they''re referring to then. 
Well, if there''s a CAN-2005-XXXX with "unfixed" and no bug
this means
that I''d been to busy to file a report on it, but where I know that
Debian is affected. That''s still better than hiding that
there''s a
problem. And for most issues googling for upstream''s website should
bring up the necessary information.
 
>  - Matt Zimmerman gave us some pointers on communicating with Mitre to
>    get CAN numbers. He offered to forward things along to them
(he''s mdz
>    at debian.org) and get CANs. Also, he''s introduced us to Steven
>    Christey at Mitre.
That''s good to hear.
>    Not sure if Steven''s email address is publicly
>    available
Steven M. Christey <coley@linus.mitre.org>  ?
>  - We''ve gained a new team member, Martin Zobel-Helas. zobel
already
>    tracks and deals with security holes for the packages in the volatile
>    archive.
> 
>  - zobel and Andreas Barth currently run Debian''s
experimental/volatile
>    autobuilding network and they''ve volenteered to use that
network for
>    autobuilding testing security updates on all arches and providing a
>    repo for them. We''re still working out the details and setting
things
>    up.
Great.

Cheers,
        Moritz