On Tue, Mar 15, 2005 at 08:51:30AM -0800, Matt Zimmerman wrote: > On Tue, Mar 15, 2005 at 09:50:22AM +0100, Sven Luther wrote: > > > On Mon, Mar 14, 2005 at 04:51:55PM -0800, Matt Zimmerman wrote: > > > On Tue, Mar 15, 2005 at 01:14:30AM +0100, Sven Luther wrote: > > > > > > > On Mon, Mar 14, 2005 at 06:10:30PM -0500, Andres Salomon wrote: > > > > > Yes, I would like to reiterate that coordination between Martin Pitt, > > > > > the > > > > > Ubuntu kernel team, and the Debian kernel team has been an invaluable > > > > > resource for Debian; there are a lot of security fixes in Debian > > > > > kernels that were brought to my attention by either Fabio or Martin. > > > > > > > > Because they are in the security-announce-loop and we are not though, > > > > right ? > > > > > > Can you restate the question more clearly? In particular, expand the > > > pronouns "they" and "we", and explain what the security-announce-loop is. > > > > There is this vendor-specific-security-announce-with-embargo thingy. > > ...which is the subject of a lot of unfounded speculation by those who are > not familiar with the process. > > > To have proper security-in-testing-or-unstable for the kernel, the > > debian-kernel security team, or at least a few members of it, need to be > > made > > aware of the embargoed security holes, and get a chance to fix them in > > advance, maybe with a private or security non-public copy of our svn tree > > (using svk maybe). > > Herbert Xu used to fill this role. After he resigned, William Lee Irwin (I > believe) volunteered to be the point of contact for security issues. If > William is not active in this role, the kernel team should nominate someone > else who can be trusted by the security team to work on sensitive issues, > and have them contact the security team. > > > This is not a ubuntu related problem though, and the help the ubuntu > > kernel/security team has provided us was invaluable, but it should maybe not > > be necessary if the information was not unrightfully hold from us in the > > first > > time. > > This problem has nothing whatsoever to do with Ubuntu, and I appreciate you > retracting this implication. Whether you believe in coordinated disclosure > is equally irrelevant; the terms of such information is set by the rightful > party (e.g., the person who discovered it), and to violate those terms would > represent a breach of trust.
I never made any such implication, not even sure what implication you are speaking about here. I only mentioned that the current kernel team has no access to the vendor-sec stuff, and as such it is logical that the help flows from ubuntu (who has access to it, right ?) since the ubuntu kernel team has a couple of weeks advance notice of the problems. Other problems also flow the other way around though. Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]