Secure testing team - Feb 2008 - Security Management for Horde packages

Hi,

I asked recently to Horde upstreams a better coordination with us
for security problems. Then they create a private mailing
list to announce security issues and to coordinate releases with
vendors. You can see details on Horde wiki:
http://wiki.horde.org/SecurityManagement

I''m now subscribed to this vendor mailing list. Don''t hesitate
to
subscribe if you are interested.

Note: I Cc: security@ and secure-testing-team@ for information
because it could have an impact on the date for releasing
Horde security packages (coordination with upstreams for
embargoed issues).

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

Hi Gregory,
* Gregory Colpart <reg at evolix.fr> [2008-02-06
16:44]:
> I asked recently to Horde upstreams a better coordination with us
> for security problems. Then they create a private mailing
> list to announce security issues and to coordinate releases with
> vendors. You can see details on Horde wiki:
> http://wiki.horde.org/SecurityManagement
> 
> I''m now subscribed to this vendor mailing list. Don''t
hesitate to
> subscribe if you are interested.
Why not just sending a mail to the vendor-sec list?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080206/f8e83404/attachment.pgp

(Please Cc: me, I''m not subscribed to secure-testing-team@)

Hi Nico,

On Wed, Feb 06, 2008 at 09:13:30PM +0100, Nico Golde
wrote:
> Hi Gregory,
> * Gregory Colpart <reg at evolix.fr> [2008-02-06 16:44]:
> > I asked recently to Horde upstreams a better coordination with us
> > for security problems. Then they create a private mailing
> > list to announce security issues and to coordinate releases with
> > vendors. You can see details on Horde wiki:
> > http://wiki.horde.org/SecurityManagement
> > 
> > I''m now subscribed to this vendor mailing list.
Don''t hesitate to
> > subscribe if you are interested.
> 
> Why not just sending a mail to the vendor-sec list?
I didn''t know this list. After searching, I don''t find
"official"
website... but if I understand, the suggested workflow is :
1. upstream sends a mail about a disclosure to vendor-sec list
2. Debian security team is subscribed to vendor-sec and receives
  the mail about a disclosure
3. Debian security team forwards to maintainer(s)
4. Coordination between everybody for security upload(s)

Am I right?

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

Hi

Thanks. I have subscribed now.

Best regards,

// Ola

On Wed, Feb 06, 2008 at 04:27:02PM +0100, Gregory Colpart
wrote:
> Hi,
> 
> I asked recently to Horde upstreams a better coordination with us
> for security problems. Then they create a private mailing
> list to announce security issues and to coordinate releases with
> vendors. You can see details on Horde wiki:
> http://wiki.horde.org/SecurityManagement
> 
> I''m now subscribed to this vendor mailing list. Don''t
hesitate to
> subscribe if you are interested.
> 
> Note: I Cc: security@ and secure-testing-team@ for information
> because it could have an impact on the date for releasing
> Horde security packages (coordination with upstreams for
> embargoed issues).
> 
> Regards,
> -- 
> Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
> 
> _______________________________________________
> pkg-horde-hackers mailing list
> pkg-horde-hackers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-horde-hackers
> 
-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Annebergsslingan 37      \
|  ola at opalsys.net                     654 65 KARLSTAD          |
|  http://opalsys.net/                 +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Hi Gregory,
* Gregory Colpart <reg at evolix.fr> [2008-02-07
09:14]:
> (Please Cc: me, I''m not subscribed to secure-testing-team@)
> On Wed, Feb 06, 2008 at 09:13:30PM +0100, Nico Golde wrote:
> > Hi Gregory,
> > * Gregory Colpart <reg at evolix.fr> [2008-02-06 16:44]:
[...] 
> > 
> > Why not just sending a mail to the vendor-sec list?
> 
> I didn''t know this list. After searching, I don''t find
"official"
> website... but if I understand, the suggested workflow is :
> 1. upstream sends a mail about a disclosure to vendor-sec list
> 2. Debian security team is subscribed to vendor-sec and receives
>   the mail about a disclosure
> 3. Debian security team forwards to maintainer(s)
> 4. Coordination between everybody for security upload(s)
> 
> Am I right?
Yes should work like this even if only the stable team is 
subscribed and we usually don''t get things forwarded so the 
best thing would be if you notice the testing-security team 
in private too. You can reach the relevant people via 
team at testing-security.debian.net

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080207/8b94e310/attachment.pgp

On Wed, Feb 06, 2008 at 09:13:30PM +0100, Nico Golde
wrote:
> Hi Gregory,
> * Gregory Colpart <reg at evolix.fr> [2008-02-06 16:44]:
>> I asked recently to Horde upstreams a better coordination with us
>> for security problems. Then they create a private mailing
>> list to announce security issues and to coordinate releases with
>> vendors.
>> I''m now subscribed to this vendor mailing list. Don''t
hesitate to
>> subscribe if you are interested.
> Why not just sending a mail to the vendor-sec list?
Because Gregory and Ola are not on that mailing list, and can''t be,
because not member of the Debian security teams? And having the
maintainers in the loop is a Good Thing (tm)?

-- 
Lionel

Hi Lionel,
* Lionel Elie Mamane <lionel at mamane.lu> [2008-02-07
19:52]:
> On Wed, Feb 06, 2008 at 09:13:30PM +0100, Nico Golde wrote:
> > * Gregory Colpart <reg at evolix.fr> [2008-02-06 16:44]:
> 
> >> I asked recently to Horde upstreams a better coordination with us
> >> for security problems. Then they create a private mailing
> >> list to announce security issues and to coordinate releases with
> >> vendors.
> 
> >> I''m now subscribed to this vendor mailing list.
Don''t hesitate to
> >> subscribe if you are interested.
> 
> > Why not just sending a mail to the vendor-sec list?
> 
> Because Gregory and Ola are not on that mailing list, and can''t
be,
You can still be put in the CC though....
> because not member of the Debian security teams? And having the
> maintainers in the loop is a Good Thing (tm)?
Writing to vendor-sec should be the correct solution at 
least that''s what vendor-sec is exactly for, the vendors 
will get the problem, discuss patches and fix with 
upstream developers and other vendors...
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080207/bd4f521d/attachment.pgp

On Thu, Feb 07, 2008 at 10:06:03AM +0100, Nico Golde
wrote:
> 
> Yes should work like this even if only the stable team is 
> subscribed and we usually don''t get things forwarded so the 
> best thing would be if you notice the testing-security team 
> in private too. You can reach the relevant people via 
> team at testing-security.debian.net
Do you want I request subscription to Horde vendor list for
team at testing-security.debian.net ? Or do you prefer that
I forward essential posts ?

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

On Thu, Feb 07, 2008 at 07:57:56PM +0100, Nico Golde
wrote:
> > 
> > > Why not just sending a mail to the vendor-sec list?
> > 
> > Because Gregory and Ola are not on that mailing list, and
can''t be,
> 
> You can still be put in the CC though....
> 
> > because not member of the Debian security teams? And having the
> > maintainers in the loop is a Good Thing (tm)?
> 
> Writing to vendor-sec should be the correct solution at 
> least that''s what vendor-sec is exactly for, the vendors 
> will get the problem, discuss patches and fix with 
> upstream developers and other vendors...
I request that vendor-sec list will be subscribe to Horde vendor
list. Then Debian stable security team will have the informations
via vendor-sec and Debian maintainers also via horde-vendor.

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

Hi Gregory,
* Gregory Colpart <reg at evolix.fr> [2008-02-07
22:00]:
> On Thu, Feb 07, 2008 at 07:57:56PM +0100, Nico Golde wrote:
> > > > Why not just sending a mail to the vendor-sec list?
> > > 
> > > Because Gregory and Ola are not on that mailing list, and
can''t be,
> > 
> > You can still be put in the CC though....
> > 
> > > because not member of the Debian security teams? And having the
> > > maintainers in the loop is a Good Thing (tm)?
> > 
> > Writing to vendor-sec should be the correct solution at 
> > least that''s what vendor-sec is exactly for, the vendors 
> > will get the problem, discuss patches and fix with 
> > upstream developers and other vendors...
> 
> I request that vendor-sec list will be subscribe to Horde vendor
> list. Then Debian stable security team will have the informations
> via vendor-sec and Debian maintainers also via horde-vendor.
Not sure if you can subscribe this list to horde-vendor but 
sounds like a good idea worth a try.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080207/9290fb9a/attachment.pgp

On Thu, Feb 07, 2008 at 08:56:15PM +0100, Gregory Colpart
wrote:
> On Thu, Feb 07, 2008 at 07:57:56PM +0100, Nico Golde wrote:
> > > 
> > > > Why not just sending a mail to the vendor-sec list?
> > > 
> > > Because Gregory and Ola are not on that mailing list, and
can''t be,
> > 
> > You can still be put in the CC though....
> > 
> > > because not member of the Debian security teams? And having the
> > > maintainers in the loop is a Good Thing (tm)?
> > 
> > Writing to vendor-sec should be the correct solution at 
> > least that''s what vendor-sec is exactly for, the vendors 
> > will get the problem, discuss patches and fix with 
> > upstream developers and other vendors...
> 
> I request that vendor-sec list will be subscribe to Horde vendor
> list. Then Debian stable security team will have the informations
> via vendor-sec and Debian maintainers also via horde-vendor.
That won''t work. Vendor-sec is only for distributors, the only
software project which is subscribed by itself is security at kernel.org

Just tell Horde to do it like the other projects: If an issue
is found send a mail to vendor-sec at lst.de (everyone can send mail
to it) and they''ll be CCed on replies. The Horde folks should also
setup a packagers-list (which includes you and Ola), which will
can be CCed as well. (That''s how X.org and many other projects
handle it).

Please pass upstream our thanks for this initiative, that''s a big
step forward.

Cheers,
        Moritz

Hi Gregory,
* Gregory Colpart <reg at evolix.fr> [2008-02-07
21:09]:
> On Thu, Feb 07, 2008 at 10:06:03AM +0100, Nico Golde wrote:
> > 
> > Yes should work like this even if only the stable team is 
> > subscribed and we usually don''t get things forwarded so the 
> > best thing would be if you notice the testing-security team 
> > in private too. You can reach the relevant people via 
> > team at testing-security.debian.net
> 
> Do you want I request subscription to Horde vendor list for
> team at testing-security.debian.net ? Or do you prefer that
> I forward essential posts ?
Please just forward the essential post.
Thanks alot for this initiative!
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080207/0248fcd8/attachment.pgp