Michael S Gilbert
2009-Aug-31 02:43 UTC
[Secure-testing-team] [webkit-security] need help triaging deluge of webkit-related security issues
On Fri, 21 Aug 2009 14:44:45 -0700 Aaron Sigel wrote:> I''d like to nominate debian to join the webkit-security list, but I''d > also like it if the addresses / people I nominated were @debian.org. > > Who should I nominate? Names + email address would be appreciated. > > Aaron > > On Aug 9, 2009, at 10:00 PM, Michael S Gilbert wrote: > > > hello, > > > > i sent the following mail a few weeks ago, and have not heard anything > > yet. security of your downstream vendors is of utmost importance for > > webkit to gain traction as a trustable browser engine. > > > > if downstreams are not going to be able to get sufficient access to > > security information, users will start to notice and will stick with > > more trustable products that have "mature" security practices, like > > mozilla. > > > > is there any way that you could provide this info to debian? you > > don''t even have to go through me. you can contact their private list > > if you so desire: team at security.debian.org; although that should not > > be necessary since all of these issues are already public. > > > > mike > > > > On Sun, Jul 19, 2009 at 8:42 PM, Michael S Gilbert wrote: > >> hello, > >> > >> the debian project (and likely other webkit downstreams) are in > >> desparate need > >> of assistance triaging the deluge of 30+ webkit security bugs that > >> came through > >> apple recently [1]. the problem, of course, is that the apple > >> announcements > >> are effectively useless since there is no information about patches > >> and bug > >> reports for the problems. hence, it makes it very difficult to > >> determine which > >> webkit versions are affected; and also to find the patches needed > >> to address > >> the problems. > >> > >> if you can help me track down the patches/bug reports, that would be > >> great. thank > >> you for any assistance you can provide.i haven''t seen anyone respond to this for a couple weeks, so i''ll chime in to get the ball rolling. Florian Wiemer (fw at debian dot org), Nico Golde (nion at debian dot org), Thijs Kinkhorst (thijs at debian dot org ), and Moritz Muehlenhoff (jmm at debian dot org) are the big names in debian security. Florian, in particular, deals with most of the vendor-sec issues. hopefully one or more of them would be interested in participating on the webkit security team/list. mike
Aaron Sigel
2009-Aug-31 16:42 UTC
[Secure-testing-team] [webkit-security] need help triaging deluge of webkit-related security issues
Okay -- they should feel free to request access if they so desire it. One email request should do. On Aug 30, 2009, at 7:43 PM, Michael S Gilbert wrote:> On Fri, 21 Aug 2009 14:44:45 -0700 Aaron Sigel wrote: >> I''d like to nominate debian to join the webkit-security list, but I''d >> also like it if the addresses / people I nominated were @debian.org. >> >> Who should I nominate? Names + email address would be appreciated. >> >> Aaron >> >> On Aug 9, 2009, at 10:00 PM, Michael S Gilbert wrote: >> >>> hello, >>> >>> i sent the following mail a few weeks ago, and have not heard >>> anything >>> yet. security of your downstream vendors is of utmost importance >>> for >>> webkit to gain traction as a trustable browser engine. >>> >>> if downstreams are not going to be able to get sufficient access to >>> security information, users will start to notice and will stick with >>> more trustable products that have "mature" security practices, like >>> mozilla. >>> >>> is there any way that you could provide this info to debian? you >>> don''t even have to go through me. you can contact their private >>> list >>> if you so desire: team at security.debian.org; although that should not >>> be necessary since all of these issues are already public. >>> >>> mike >>> >>> On Sun, Jul 19, 2009 at 8:42 PM, Michael S Gilbert wrote: >>>> hello, >>>> >>>> the debian project (and likely other webkit downstreams) are in >>>> desparate need >>>> of assistance triaging the deluge of 30+ webkit security bugs that >>>> came through >>>> apple recently [1]. the problem, of course, is that the apple >>>> announcements >>>> are effectively useless since there is no information about patches >>>> and bug >>>> reports for the problems. hence, it makes it very difficult to >>>> determine which >>>> webkit versions are affected; and also to find the patches needed >>>> to address >>>> the problems. >>>> >>>> if you can help me track down the patches/bug reports, that would >>>> be >>>> great. thank >>>> you for any assistance you can provide. > > i haven''t seen anyone respond to this for a couple weeks, so i''ll > chime > in to get the ball rolling. Florian Wiemer (fw at debian dot org), > Nico Golde (nion at debian dot org), Thijs Kinkhorst (thijs at > debian dot org ), and Moritz Muehlenhoff (jmm at debian dot org) are > the > big names in debian security. Florian, in particular, deals with > most of > the vendor-sec issues. hopefully one or more of them would be > interested in participating on the webkit security team/list. > > mike