|
Home > Archive > Debian Developers > March 2005 > Security work in Debian (Was: Relaxing testing requirements)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Security work in Debian (Was: Relaxing testing requirements)
|
|
| Petter Reinholdtsen 2005-03-19, 5:50 pm |
| [Gunnar Wolf]
> The answer is simple:
For every problem there is a simple and obvious answer which just
happen to be wrong. I believe you ran into one of those. 
> Not everybody can become a security team member, the required
> technical skills are quite high. There is a VERY high commitment
> requirement as well, so even some of the skilled people do not
> become part of the security team. Besides _that_, most people agree
> that creating new code is more fun than patching existing code, so
> even less people step into that position.
>
> Remember this is a volunteer project. I know of no extra volunteers
> willing to take up such a task as Security. You repeatedly talk
> about adding man-power to it. So... Are you in?
There are two security teams in effect now. The debian/stable team,
working to make sure the stable release of debian get security fixes
as soon as possible. They get security warnings before the issues
become public knowledge. Membership into this team is not over for
everyone.
There is also the debian/testing team, working to fix security issues
in the testing release of debian. This team only work with publicly
known information, and is open for everyone interested in helping out
with security fixes for Debian. This second team was created by Joey
Hess as part of his work for Debian Edu, and there are several
volunteers participating in this effort. To participate, check out
<URL:http://secure-testing.alioth.debian.org/>. Debian Edu are trying
to find funding to hire more people to work on security in Debian.
Contact me if you are interested in funding this work.
I hope in time the "public" debian/testing security team can become a
good recruitment base for the "private" debian/stable security team.
This will hopefully let us avoid the current problem with the lack of
man-power in the debian/stable security team.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Javier Fernández-Sanguino Peña 2005-03-19, 5:50 pm |
| On Sat, Mar 19, 2005 at 07:03:07PM +0100, Petter Reinholdtsen wrote:
> There are two security teams in effect now. The debian/stable team,
> working to make sure the stable release of debian get security fixes
> as soon as possible. They get security warnings before the issues
> become public knowledge. Membership into this team is not over for
> everyone.
Actually there's three. You are missing the Security Audit team which both
finds new vulnerabilities and issues and finds vulnerabilities that have
been fixed by others but have not yet been fixed in Debian. Notice that
those "fixed" things don't always have a CVE identifier...
Regards
Javier
|
|
|
|
|