What follows is a summary of the first testing-security meeting held at Oldenburg September 22, 2005 with joeyh, micah, jmm, lamont in attendance: . Discussed stable security and Brandon''s arrival and what testing-security can offer to help with stable-security issues . transparency of stable security - tracking tools . stable is primarily responsible for embargoed issues . Discussed vendor-sec criteria and if it made sense for testing-security people to try and obtain it. The general consensus was that the majority of the issues we deal with are already public or get fixed in such a short time that we do not need to have access to embargoed issues. . Discussed each person''s work-flow to get an idea of what lists/websites each of us monitor and ways that we identify problems/fixes. Getting these things documented would help identify what is missing and what new people can help with. . watching for holes: watch/scan bugs that are tagged in the BTS lists: bugraq, bug-dists, debian-devel-changes (should filebugs, tag security), full disclosure, lkml "exploit tree" as potentially useful if we could manage to track it . checking for the existence of packages affected by issues: search for ITP check for previous advisory check packages.debian apt-cache search . couple times a week, open each bug on testing-security page tabs and check to see if they are closed NOTE: if a CVE advisory says fixed in version 1.5 and later, you should not trust this and see if it is vulnerable in versions prior if they are in debian . We talked about some of the issues on Mortiz'' email, and identified some interesting things to work on: tsck: make it just svn update the secure-testing list, but not the html page, or smaller subset adapt it to the new syntactical changes to the list (urgencies etc.) user-tags: use testing-security, mark as reviewed, also mark bugs that have a CVE id with that ID retroactive list clensing: go through CAN/list to retroactively add not-affected to issues that do not have it perhaps add more tags that fw has created documentation issues: overview of developer''s reference changes (micah is working on making these changes) DTSA criteria: we only identified that we should figure this out agreeing on severity levels and embedded source/removed packages so it can be documented workflow overview Others: We didn''t get through the whole list, but will at later meetings -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050923/3fab8476/attachment.pgp