Micah Anderson wrote:> I agree actually. What do people think about sending another update to > debian-devel-announce, and debian-security with a status update of our > work, and where we are going? Additionally, updating any relevant > websites (what website was being referred to in saying "... the Debian > website should be informed about this"?)Announce is a good idea. I assume he meant www.debian.org which AFAIK does not link to us at all.> Now that Sarge has released, the testing-security team is shifting > gears from our pre-release activities to our post-release work. What > follows is a report on our activities thus far, and our future plans. > > Testing-Security Accomplishments pre-Sarge > ------------------------------------------ > > Testing-security performed a massive security review of *all* CAN and > CVE entries announced since the release of woody, performed a scan of > every DSA since woody''s release and checked all DSAs to see if fixes > for those security holes had reached testing. This process uncomvered > a few security holes that hadn''t been fixed in testing for a year or > more, although these were exceptions. > > We setup an automatic SVN repository updater of the CAN list, bringing > in fresh CANs/CVEs from Mitre. This allowed us to become alert of > CANs/CVEs that were released as soon as possible so that we could > check them. We also setup a webpage that is automatically updated > based on the status of this SVN repository. > > Statistics > . how many items we have processed6536 (as of a few days ago)> . how many affected Debian at some point1226; affecting 498 distinct packages and taking 918 package uploads to fix.> . how many are unfixed in etch nowcurrently 56 per web site> . how many we have remaining to docurrently 44 TODO lines> Etching our way towards Testing-Security > ----------------------------------------Me shudders even harder at the pun since "edge" seems to be the 100% most popular typo for "etch".> Now that Sarge has released the testing-security team is shifting > gears from keeping the security pressure on for the release towards > building out our infrastructure to provide more security support for > testing. The team has worked hard to get Sarge secure, and we now have > a testing distribution with no old security holes in it. > > Now we''d like to start providing regular security updates for testing. > This means develop a DTSA (Debian Testing Security Advisories) procedure > and begin performing proper DTSAs for all architectures, releasing GPG > signed advisories to a mailing list and website. Our goal > would be to provide timely security updates for testing, making fixes > available no more than four days after a DSA is released.Would be good if this could give some concrete details, or at least our current preferred way to do it and contingency plan if getting an upload queue and security.debian.org space doesn''t work out.> Develop ways to work with the official security team to streamline > security problems that come through testing into stable. > > Work with maintainers to include security fixes from unstable that do > not have DSAs. > > Continue maintaining a public database and statistics about the > current state of security in testing.These are good points but need some expansion. -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050614/46f260f7/attachment.pgp
On Tue, 07 Jun 2005, Vesa Savolainen wrote:> The Debian website tells that there are no security updates available > for testing and users are confused about the state of security > auditing for testing. Now that Sarge has been released, I think it > would be a good time for the testing security team to make some kind > of a public announcement about how security updates will be managed > in Etch. Also the Debian website should be informed about this.I agree actually. What do people think about sending another update to debian-devel-announce, and debian-security with a status update of our work, and where we are going? Additionally, updating any relevant websites (what website was being referred to in saying "... the Debian website should be informed about this"?) If I may be presumptous, I drafted the following, it needs some pieces filled in (such as statistics): Now that Sarge has released, the testing-security team is shifting gears from our pre-release activities to our post-release work. What follows is a report on our activities thus far, and our future plans. Testing-Security Accomplishments pre-Sarge ------------------------------------------ Testing-security performed a massive security review of *all* CAN and CVE entries announced since the release of woody, performed a scan of every DSA since woody''s release and checked all DSAs to see if fixes for those security holes had reached testing. This process uncomvered a few security holes that hadn''t been fixed in testing for a year or more, although these were exceptions. We setup an automatic SVN repository updater of the CAN list, bringing in fresh CANs/CVEs from Mitre. This allowed us to become alert of CANs/CVEs that were released as soon as possible so that we could check them. We also setup a webpage that is automatically updated based on the status of this SVN repository. Statistics . how many items we have processed . how many affected Debian at some point . how many are unfixed in etch now . how many we have remaining to do Etching our way towards Testing-Security ---------------------------------------- Now that Sarge has released the testing-security team is shifting gears from keeping the security pressure on for the release towards building out our infrastructure to provide more security support for testing. The team has worked hard to get Sarge secure, and we now have a testing distribution with no old security holes in it. Now we''d like to start providing regular security updates for testing. This means develop a DTSA (Debian Testing Security Advisories) procedure and begin performing proper DTSAs for all architectures, releasing GPG signed advisories to a mailing list and website. Our goal would be to provide timely security updates for testing, making fixes available no more than four days after a DSA is released. Develop ways to work with the official security team to streamline security problems that come through testing into stable. Work with maintainers to include security fixes from unstable that do not have DSAs. Continue maintaining a public database and statistics about the current state of security in testing. .... Thoughts? micah -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050614/888dcb01/attachment.pgp
also sprach Steve Langasek <vorlon@debian.org> [2005.06.15.0038 +0200]:> > Etching our way towards Testing-Security > ^ > | > The Germans have a hard enough time keeping these words straight without > your help. :-)We do? -- .''''`. martin f. krafft <madduck@debian.org> : :'' : proud Debian developer, admin, user, and author `. `''` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "gott ist tot! und wir haben ihn get?tet." - friedrich nietzsche -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050615/0b12aef3/attachment.pgp
On Tue, Jun 14, 2005 at 11:45:30AM -0500, Micah Anderson wrote:> On Tue, 07 Jun 2005, Vesa Savolainen wrote: > > The Debian website tells that there are no security updates available > > for testing and users are confused about the state of security > > auditing for testing. Now that Sarge has been released, I think it > > would be a good time for the testing security team to make some kind > > of a public announcement about how security updates will be managed > > in Etch. Also the Debian website should be informed about this.> Etching our way towards Testing-Security^ | The Germans have a hard enough time keeping these words straight without your help. :-) The rest of this looks reasonable to me. Cheers, -- Steve Langasek postmodern programmer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050614/951ea668/attachment.pgp
The Debian website tells that there are no security updates available for testing and users are confused about the state of security auditing for testing. Now that Sarge has been released, I think it would be a good time for the testing security team to make some kind of a public announcement about how security updates will be managed in Etch. Also the Debian website should be informed about this. ................................................................... Luukku Plus paketilla p??set eroon tila- ja turvallisuusongelmista. Hanki Luukku Plus ja helpotat el?m??si. http://www.mtv3.fi/luukku