Re: Bad press related to (missing) Debian security - action
hi ya micah - thanx for trying ... lets see what happens On Wed, 29 Jun 2005, Micah Anderson wrote: > Alvin Oga schrieb am Wednesday, den 29. June 2005: > > > On Wed, 29 Jun 2005, Micah Anderson wrote: ... > > > Did you read the email that I referenced? It doesn't sound like you > > > did. > > > > this is precisely why volunteers disappear > > I'm sorry I dont understand. i read more into your comment about having read the prev urls or not which, like i said, i did read > http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team > http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits > http://secure-testing.alioth.debian.org/ > http://lists.debian.org/debian-security/2004/10/msg00166.html i'll look thru hose later > I note that there is no message from you found on the > secure-testing-team mailing list. i posted/replied in the debian-secuirty list when joey and crew was previously looking for volunteers > I am unable to find your alioth account, did you sign up for one? dont have one > Did you email the secure-testing > alioth project administrator to be added to the project? dont knwo the folks of who does what ..etc > Did you check out the svn repository? nope ... > > of course i read it ... the first yime you posted and the 2nd time when > > you sent the same url again .. multiple times for "how to volunteer" > > Please, where in the details about how to volunteer did you get stuck > so we can improve them? in my case... i suppose i'm the idiot ... since i want to do things differently ... - i'm interested in releasing xxx-latest.deb packages for "testing" - latest kernel, latest apache, latest php, latest xxx and in my case, and for our customers, being a month or two out of date could be a very bad thing which is why we're intrested in newer security methodology and we already do our magic inhouse for the latest xxx apps - i'm assuming that the authors and package maintainers are already doing their patches based on announced vulnerabilities and exploits, and i'm wanting to avoid re-inventing that wheel - thanx again for taking the time to reply.. and i'll spend some time on the new urls > The benefits of volunteering are also detailed in that email. What > sort of proactive direction are you expecting? at a minimum .. - latest kernels in *.deb form from kernel.org - latest apache from apache.org ... endless list .. > I think you have it > backwards, the proactivity needs to come from you. i'd like a place ( a server ) where all these packages can be kept maybe we'd just need to start, similar to what nerim.net does with mplayer*.deb unfortunately, the suits wants patches all from debian.org or inhouse, where, guess who ( me ) takes the ball and responsiblity for inhouse packages vs importing from tom-dic-n-harrry and sally-mary-janes site > You are right that > the group is still in its infancy in terms of being organized, its okay... good to grow > but how > do you expect it to become organized? replying to those wanting to volunteer is a good start... as yu have been doing .. thanx for that > The only way it will become > organized in a volunteer organization is if the volunteers (read: this > can be you), proactively organize it. sometimes, us volunteers do NOT have the luxury to change the way things are done ... or even given 1 month to implement the next big idea and see if it works or not ... old ways are good ... its proven .. it works if the old ways does NOT address new problems ... than somebody else might solve those problems... and/or change distros > If you wish to wait until > everyone else has done the work to organize the group, and then you > want to come in and do something you may find that the group is > organized a way that you do not like and you will regret that you did > not help organize it the way you like. :-) .. thusly, i'm still here ... looking and watching -- are you local ... ( silicon valley area ).. probably easier to talk face-to-face vs thru phophorous emissions - and/or with any other "security team volunteer" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Wednesday, den 29. June 2005: > > On Wed, 29 Jun 2005, Micah Anderson wrote: > > > > i think you can search thru the debian security archives just as > > > easily as i can or in fact even more easily since yu have a debian acct ?? > > > > Did you read the email that I referenced? It doesn't sound like you > > did. > > this is precisely why volunteers disappear I'm sorry I dont understand. Volunteers disappear because they read a message detailing how to volunteer and then don't follow those directions and then disappear? If someone wants to volunteer, then they need to do the things that are detailed about how to get involved, otherwise they are disappearing themselves. I do not understand, the directions are clear, and I reproduce them and the referenced URLs below: Any with a interest in participating are welcome to join the team, Debian Developers and others with the skills and desire to help. The team can be contacted through its mailing list[14]. There is a second mailing list[15] that receives commit messages to our repository. An alioth project page[1] is also available. Have a read of this message[16] if you are interested in participating, the details are there about how to start helping check CANs on a regular basis. http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits http://secure-testing.alioth.debian.org/ http://lists.debian.org/debian-security/2004/10/msg00166.html I note that there is no message from you found on the secure-testing-team mailing list. I am unable to find your alioth account, did you sign up for one? Did you email the secure-testing alioth project administrator to be added to the project? Did you check out the svn repository? > of course i read it ... the first yime you posted and the 2nd time when > you sent the same url again .. multiple times for "how to volunteer" Please, where in the details about how to volunteer did you get stuck so we can improve them? > somehow, magically, volunteers can become overnight experts > and no handholding is needed at all or who is doing what You do not need to be an expert, but you do need to be able to follow directions that are detailed for you, if directions do not make sense, ask and they will be cleared up. How magic do you want the process? > i think there has been enough about emails in here.. and since no > proactive direction is being made, i think i'll bow out of volunteering > again .. but will gladly help later when things are more organized and > its clear what the benefits of volunteering hundred of hrs/month would be The benefits of volunteering are also detailed in that email. What sort of proactive direction are you expecting? I think you have it backwards, the proactivity needs to come from you. You are right that the group is still in its infancy in terms of being organized, but how do you expect it to become organized? The only way it will become organized in a volunteer organization is if the volunteers (read: this can be you), proactively organize it. If you wish to wait until everyone else has done the work to organize the group, and then you want to come in and do something you may find that the group is organized a way that you do not like and you will regret that you did not help organize it the way you like. Micah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Wed, 29 Jun 2005, Micah Anderson wrote: > > i think you can search thru the debian security archives just as > > easily as i can or in fact even more easily since yu have a debian acct ?? > > Did you read the email that I referenced? It doesn't sound like you > did. this is precisely why volunteers disappear of course i read it ... the first yime you posted and the 2nd time when you sent the same url again .. multiple times for "how to volunteer" somehow, magically, volunteers can become overnight experts and no handholding is needed at all or who is doing what i think there has been enough about emails in here.. and since no proactive direction is being made, i think i'll bow out of volunteering again .. but will gladly help later when things are more organized and its clear what the benefits of volunteering hundred of hrs/month would be thanx for your time in replies ... c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Wednesday, den 29. June 2005: > > On Wed, 29 Jun 2005, Micah Anderson wrote: > > > Alvin Oga schrieb am Tuesday, den 28. June 2005: > > > > You sent an email where about what and got no response? I did not see > > your offer to help come across the mailing list (if it is there, can > > you point out the URL to the message?)... > > i think you can search thru the debian security archives just as > easily as i can or in fact even more easily since yu have a debian acct ?? Did you read the email that I referenced? It doesn't sound like you did. > in either case, it doesnt matter to me if people reply or not to those > that are volunteering > - i go on the assumption that people get selected based on > the "merits or pecking order or friends of friends" or ?? > whatever the criteria is .. The testing-security team is not operating this way. > - from this last batch of emails about security, i saw there > was a bunch of folks willing to help do security work .. > and i'm hoping somebody takes up the volunteer's offerings > and unload some tasks or do some other forms of methodology tests I sent a message whose contents detail how to get involved in the testing-security team for those who wish to volunteer. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
[Alvin Oga] > i don't want any handholding ... other than access the the resources > and info and/or question answer .. > - in my case, i'd like to create test-sec.debian.org > for which i cannot do anything about it unless i do get > some handholding and it's purpse to supplement the security > patches that i see is lacking in "testing" > ( 2 or 3 months behind current releases is too far back for me ) Everybody have access to the resources used by the testing security team. If you start submitting updates there, I am sure your effort will have positive effect. There is no reason for you to wait for a debian.org domain name. If you want a new APT repository, you can create it anywhere, and if it proves to be a good idea it can be made available as test-sec.debian.org or something similar some time in the future. The information about the testing security team is available from http://secure-testing.alioth.debian.org/>, and the subversion repository used to track security issues is publicly available. Patch submission into BTS can be done by anyone, and NMUs can be prepared by anyone for review and upload by any Debian developer. I am convinced several of the Debian developers in the testing security team are willing to do uploads. And, when the issue is completely investigated and the patch is available, the work left for the stable security team will be much reduced. :) So, no need to wait, just go ahead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Wed, 29 Jun 2005, Micah Anderson wrote: > Alvin Oga schrieb am Tuesday, den 28. June 2005: > > You sent an email where about what and got no response? I did not see > your offer to help come across the mailing list (if it is there, can > you point out the URL to the message?)... i think you can search thru the debian security archives just as easily as i can or in fact even more easily since yu have a debian acct ?? in either case, it doesnt matter to me if people reply or not to those that are volunteering - i go on the assumption that people get selected based on the "merits or pecking order or friends of friends" or ?? whatever the criteria is .. - from this last batch of emails about security, i saw there was a bunch of folks willing to help do security work .. and i'm hoping somebody takes up the volunteer's offerings and unload some tasks or do some other forms of methodology tests > Often people looking for helpers are needing helpers because they are > so busy that they need people who are wanting to help to take > initiative, rather than be hand-held. i don't want any handholding ... other than access the the resources and info and/or question answer .. - in my case, i'd like to create test-sec.debian.org for which i cannot do anything about it unless i do get some handholding and it's purpse to supplement the security patches that i see is lacking in "testing" ( 2 or 3 months behind current releases is too far back for me ) and everybody is buzy... - first priority for me/us is paying customers as that is what keeps our expenses paid... and than volunteer for folks(entities) that wants some help c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Tuesday, den 28. June 2005: > On Tue, 28 Jun 2005, Micah Anderson wrote: > > > Alvin Oga schrieb am Tuesday, den 28. June 2005: > > > > If you are interested in testing security, then there is a group > > working on this project. Here is some information about the history of > > the team, and if you read through the message there is information > > about how to help: > > > > http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html > > saw that before ... and no response ... so i let it die, > the assumption being, that people looking for helpers will reply > to those volunteering, but i guess one has to pass the screeners > requirements before getting onto the next level You sent an email where about what and got no response? I did not see your offer to help come across the mailing list (if it is there, can you point out the URL to the message?)... Often people looking for helpers are needing helpers because they are so busy that they need people who are wanting to help to take initiative, rather than be hand-held. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Micah Anderson wrote: > Alvin Oga schrieb am Tuesday, den 28. June 2005: > > If you are interested in testing security, then there is a group > working on this project. Here is some information about the history of > the team, and if you read through the message there is information > about how to help: > > http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html saw that before ... and no response ... so i let it die, the assumption being, that people looking for helpers will reply to those volunteering, but i guess one has to pass the screeners requirements before getting onto the next level c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Tuesday, den 28. June 2005: [snip] > etch/testing where are the security patches ?? > - i want it to also have latest apps i care about > ( latest kernels, latest apache, latest xxx, .. ) > > - this is the parts i'm interested in structuring for security > updates as some/most security patches are fixed in later releases > from the originating authors/sites and they already maintain > and keep their eyes on all the announced vulnerabilities and > exploits If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html micah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote: > also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1451 +0200]: > > - all other debian boxes does NOT trust it and nbody else should > > trust it either... it is "for testing and development" > > I know. But what happens when someone decides to abuse it? I could > host a machine, no problem. But giving root access to others is the > problem. obviously.. only "trusted" people would have root access and it is a "security test server" and should encourage others to try to become root too and to document how they did it and if its repeatable --- - there's tasks for the "security team" to do - there's tasks that anybody can do --- the point is we all have varying degree of security requirements and we all can add our methodology and scripts and try to create a suitable infastructure for "security updates" wodd or sarge/stable has security update ( very structured and tested over for years, which is a good thing etch/testing where are the security patches ?? - i want it to also have latest apps i care about ( latest kernels, latest apache, latest xxx, .. ) - this is the parts i'm interested in structuring for security updates as some/most security patches are fixed in later releases from the originating authors/sites and they already maintain and keep their eyes on all the announced vulnerabilities and exploits sid/unstable ... has lots of security updates and updates for apps - not suitable (??) for ( remote ) production servers c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: > On Mon, 27 Jun 2005, Matt Zimmerman wrote: > > >The security team has always been a difficult one to expand. A strong > >level of trust is necessary due to confidentiality issues, and security > >support is a lot of (mostly boring and thankless) work. However, > >expanding it seems like the only way to make it sustainable. > > I don't understand the philosophy of Debian security team. It's really so > difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? > This version is in Debian testing and why this version can't be push into > stable? This article does a fairly good job of explaining: http://www.redhat.com/advice/speaks_backport.html -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
martin f krafft wrote: >It surprised everyone, even though it was not a real surprise -- if >that makes sense. The security team has been a major weakness of >Debian for a while. It was only a question of time until it all came >down on Joey. > >Anyway, if you like Debian, then you should keep using it. The >current situation is unacceptable, and we are all aware of this. But >the good news is that a lot of people are working on it, and after >the stereotypical blow in the face, we'll have something to learn to >prevent such problems in the future. > >So bear with us for just a little while more, consider disabling the >affected services for now, or roll your own security updates until >we caught up. > > I think this is a much better reply than telling people to * use other distributions (Suse, RHEL, Fedora, Ubuntu, whatever), * use sid, or * roll your own security I've been using Debian since Slink and I think this is one of the very few times Debian was cought with its security pants down. I don't think I am affected yet, with exception of spamassassin so let's hope Debian can catch up before the next remote hole in squid, apache2 or racoon. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
martin f krafft wrote: > Not meaning to disspell it, but isn't this essentially a bug > tracking system or ticket system done slightly differently? No, if it were a bug tracking system we could use the Debian BTS and not bother with it. It's a vulnerability/non vulnerability tracking system; we use it to not only track holes that affect testing, but just as importantly, holes that do not. It allows us to know that every security issue has been checked out by someone with no gaps (our historical checks of all security holes since woody found holes that were missed from being tracked in the BTS). Of course it works with the BTS, and once the BTS gets version tracking certain bits of it will become more automated. -- see shy jo signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, Jun 28, 2005 at 05:20:51AM -0700, Alvin Oga wrote: > personally, i pull down all the important tar balls from the originating > author's site and compile it ... if the distro's version of any app is > "too far behind" the main point about stable security is that exactly this does not happen: i want security fixes for the versions that i have installed, not newer versions. and that's also were things get complicated... cu robert -- Robert Lemmen http://www.semistable.com signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1451 +0200]: > - all other debian boxes does NOT trust it and nbody else should > trust it either... it is "for testing and development" I know. But what happens when someone decides to abuse it? I could host a machine, no problem. But giving root access to others is the problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote: > Just use this list. i think the point of "this list" is its not moving fast enough for some folks wanting security updates > > the machine can be called sec-test.debian.org so that we have > > a way to test another security update/process/procedures out > > Mh, I am not sure this is viable as you guys would probably need > root on the machine, which is a credibility problem when someone > else hosts it... hosting a server is trivially simple... esp for a test server point test-sec.debian.org to any ip# sitting on a t1 or t3 or OC-xxx and everybody can start working on it - all other debian boxes does NOT trust it and nbody else should trust it either... it is "for testing and development" c y alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1420 +0200]: > if somebody at debian.org can create yaml, say > [EMAIL PROTECTED], than the rest of us moaners, > complainers and wanna-volunteer can get started ... Just use this list. > the machine can be called sec-test.debian.org so that we have > a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "we americans, we're a simple people... but piss us off, and we'll bomb your cities." -- robin williams, good morning vietnam signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Alvin Oga wrote: > On Tue, 28 Jun 2005, martin f krafft wrote: > > > thanks for the proposal. why did you write it and not just get on > > with those scripts already? if somebody at debian.org can create yaml, say [EMAIL PROTECTED], than the rest of us moaners, complainers and wanna-volunteer can get started ... debian's gods can watch and see if they like or dislike what we're doing and incorporate it into the main hierarchy or not the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out personally, i pull down all the important tar balls from the originating author's site and compile it ... if the distro's version of any app is "too far behind" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to help the security team (was Re: Bad press related to (missing) Debian security)
I picked one of the bugs (see bottom of email). Is this sort of information is useful to the security team and if so, how? vulnerability: sudo race condition. Severity: High Type: local References: CAN-2005-1993 BID:13993 URL:http://www.securityfocus.com/bid/13993 http://www.sudo.ws/sudo/alerts/path_race.html Affected version: 1.3.1 up to and including 1.6.8p8. Debian versions: woody: sudo_1.6.6-1.3 sarge: sudo_1.6.8p7-1.1 testing: sudo_1.6.8p7-1.1 unstable: sudo_1.6.8p7-1.1 No mention of the bug in the changelog: http://smallr.com/so Status: Debian is affected Actions that need to be taken: Package Maintainer Action: Create new sudo package version 1.6.8p9 or greater. Request a patch from the maintainers. http://www.sudo.ws/sudo/authors.html User Action: Upgrade: The bug is fixed in sudo 1.6.8p9. There is no package available so a local build or install will be required. Current Workaround: The administrator can order the sudoers file such that all entries granting Sudo ALL privileges precede all other entries. Harry Join team plico. http://www.hjackson.org/cgi-bin/folding/index.pl __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote: > thanks for the proposal. why did you write it and not just get on > with those scripts already? i volunteered before to start writing it .. but the "team" had other plans so they went to do what they're looking at doing which is good and bad ... too many chefs spoils the recipe and i dont know what state things are at .. a year later > people "volunteering" are useless. people actually doing something > are not. :-) ... as you said in your next post ... have fun .. relax .. unwind .. c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to help the security team (was Re: Bad press related to (missing) Debian security)
On Tue, Jun 28, 2005 at 11:48:23AM +0200, Marek Olejniczak wrote:
> No, it was *my* decision! I'm using Debian since 4 years and I like this
> distribution. And it suprised me that my favourite distro has problems
> with security.
Like any other *volunteer* project, there are ups and downs. Don't
complain, help fix the problem instead.
I'm amazed at how people are complaining about this. In other news:
Microsoft doesn't publish advisories for known security vulnerabilities, it
will wait even a full month (or more) to do so. And their security team is
being *payed* for what they do.
I, for one, would actually appreciate if people instead of complaining in
this mailing list would go through the latest public vulnerabilities that
*might* affect Debian and provide a status report. You just need to pick a
vulnerability and ask yourself these questions:
a) how grave is this vulnerability? is it local or remote?
b) is an upstream patch is available?
c) does the vulnerability indeed affects Debian woody or sarge?
d) has it been reported in Debian's BTS? does it have a patch?
e) has a package fixing this has been uploaded to sid? is a package
waiting for approval from the security team?
Some information is available at
http://newraff.debian.org/~joeyh/stable-security.html but that's not 100%
accurate (as described in the header).
So, for starters, all you need is.
Vulnerability info, which is available at:
- Securityfocus Database: http://www.securityfocus.com/bid
- LWN's advisories (http://lwn.net/Alerts/) and vulnerabilities
(http://lwn.net/Vulnerabilities/)
The relevant Debian BTS entries should be tagged 'security' and can be
found
at:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&archive=no&exclude=potato&exclude=experimental&exclude=fixed&exclude=wontfix
But, of course, the BTS entries for the relevant bugs should be reviewed
too (people sometimes do not tag security bugs appropiately).
Also, past advisories with CVE references for Debian should be reviewed.
They are found at:
http://www.debian.org/security/crossreferences
(Note: Bugtraq references in that page are not necessarily up-to-date as I
review these from time to time)
Here's a sample:
-
- Vulnerability: latest dbus vulnerability
- Severity: High
- Type: local
- References: CAN-2005-0201, also BID-12345:
http://www.securityfocus.com/bid/12435
[ not in Debian's CVE reference map ]
- Other references:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146766
(includes test and patch)
- Affected version: 0.22 (based on other vendors alerts)
- Debian versions: 0.23.4-1 in sarge, 0.23.4-3 in sid, not present in woody
(http://packages.qa.debian.org/d/dbus.html)
[ review of the source package to see if the bug is applied there ]
[ ]
[ the code is fixed and upstream Changelog says that it was fixed
in 2005-01-31 and included in the 2.3.1 ]
Status: Debian is _not_ affected
Actions that need to be taken: none
Another example:
- Vulnerability: cacti - SQL injection and XSS
- Severity: High
- Type:remote
- References: CAN 2005-{1524,1525,1526}
- Other references:
Gentoo advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
Gentoo Bug: http://bugs.gentoo.org/show_bug.cgi?id=96243
Patch:
http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch
- Affected version: prior to 0.8.6e
http://www.cacti.net/release_notes_0_8_6e.php
- Debian versions: 0.6.7-2.2 in oldstable, 0.8.6c-7 in stable, 0.8.6e-1 in
testing/sid
- Bug reported: #315703 (not tagged 'security')
[ Review oldstable code ]
[ Code is not affected to these vulnerabilities, the vulnerable code is not
present ]
Status: Debian _is_ affected, a fix is pending approval from the
security team upload
Actions that need to be taken:
a) tag 'security' the BTS entries
Now that you all know how to improve the situation and help why don't you
start doing it? Start with all the vulnerabilites in Joey's stable security
pages. Follow up with all the vulnerabilities which are not listed there
but are related to software present in Debian for which other vendors have
published advisories already.
And then send the reports to the security team CC'ing this list. I'm
anxious to see how many who have voiced their concerns will end up
publishing here a status report.
Regards
Javier
PS: I'm not adding Secunia to the vulnerability info since it's obviously
not current / correct, see http://secunia.com/product/143/ for example.
signature.asc
Description: Digital signature
Re: Bad press related to (missing) Debian security
* Moritz Muehlenhoff: > The whole embargo thing about stable security is overrated anyway; Yes, that's my impression as well. > as far as I can see it for May and June only mailutils, qpopper and > ppxp were embargoed, so that they hadn't been publicly known when > the DSA was published (and even for mailutils and qpopper there was > a small time frame of 1-2 days between first vendor fix and the > DSA). The BSD telnet bug was embargoed as well, but it's not clear if Debian had access to this information. It's pretty strange that the disclosure of future BSD userland vulnerabilities will likely be scheduled according to Microsoft's needs. > The majority of all issues could be handled a lot more transparent, IMO. I agree. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1215 +0200]: > Unfortunately you are right :-( At this moment there is no secure > Debian distribution. unstable. :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! obviously i was either onto something, or on something. -- larry wall on the creation of perl signature.asc Description: Digital signature
Re: custom sec updates, was Bad press related to (missing) Debian security
also sprach Thomas Seliger <[EMAIL PROTECTED]> [2005.06.28.1208 +0200]:
> Even if you did not use those techniques (.deb building, running an apt
> source) up to now, I think its rewarding for you, especially if you run
> a larger number of servers. I do not have any links ready to point you
> to, but i'll check my (unsorted) bookmark file later ;)
man apt-ftparchive is all you basically need.
Put the files into a directory which apache can access, e.g.
/srv/apt --> http://server/apt, then run:
apt-ftparchive packages . > Packages
and you're done. Make sure to set the proper permissions.
Now add
deb http://server/apt ./
to your machines and `apt-get update`.
Finally, make sure to use the proper version incrememts. My
suggestion is the following shell function (part of
dpkg-reversion/debedit, which is not yet part of Debian):
bump_version()
{
VERSTR='+0.local.'
case $1 in
*${VERSTR}[0-9]*)
REV=${1##*${VERSTR}}
echo ${1%${VERSTR}*}${VERSTR}$((++REV));;
*-*)
echo ${1}${VERSTR}1;;
*)
echo ${1}-0${VERSTR}1;;
esac
}
piper:~> bump_version 1.0-1
1.0-1+0.local.1
piper:~> dpkg --compare-versions 1.0-1 lt 1.0-1+0.local.1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-1+0.local.1 lt 1.0-2 && echo yes
yes
piper:~> bump_version 1.0
1.0-0+0.local.1
piper:~> dpkg --compare-versions 1.0 lt 1.0-0+0.local.1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-0+0.local.1 lt 1.0-1 && echo yes
yes
piper:~> dpkg --compare-versions 1.0-0+0.local.1 lt 1.1 && echo yes
yes
Alternatively, use APT pinning.
FWIW, my book[0] includes information about how to run your own
package repositories, and how to modify packages and properly
integrate them with APT.
0. http://debiansystem.info
Cheers,
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
man muss noch chaos in sich haben
um einen tanzenden stern zu gebähren.
-- friedrich nietzsche
signature.asc
Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1148 +0200]: > No, it was *my* decision! I'm using Debian since 4 years and > I like this distribution. And it suprised me that my favourite > distro has problems with security. It surprised everyone, even though it was not a real surprise -- if that makes sense. The security team has been a major weakness of Debian for a while. It was only a question of time until it all came down on Joey. Anyway, if you like Debian, then you should keep using it. The current situation is unacceptable, and we are all aware of this. But the good news is that a lot of people are working on it, and after the stereotypical blow in the face, we'll have something to learn to prevent such problems in the future. So bear with us for just a little while more, consider disabling the affected services for now, or roll your own security updates until we caught up. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen." - friedrich nietzsche signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, martin f krafft wrote: No, he installed Sarge because it was cool back at the time. You are right - I'm waiting with installation on new servers for the new Debian release. On my other servers is runnig Woody. That said... of course woody is currently also potentially vulnerable. Unfortunately you are right :-( At this moment there is no secure Debian distribution. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
custom sec updates, was Bad press related to (missing) Debian security
Marek Olejniczak wrote: I must use it. Sarge is working on a ISP production servers. I work for a medium-sized company and moved nearly all our application hosting server from wind0ze and SuSE to Debian. Debian is our choice for production servers. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! I suggest you create your own apt server (basically its just a HTTPD), when you administer a larger number of servers, you often face the problem that you need to deploy customized packages to many machines. So using you own apt source in addition to the stable debian sources is the way to go IMHO. Once you have such a thing in place, rolling out your own security patches / customisations on many systems gets much easier. I have my own apache, postgresql, java and jboss packages for example. I also distributed a patched version of sudo this way. Even if you did not use those techniques (.deb building, running an apt source) up to now, I think its rewarding for you, especially if you run a larger number of servers. I do not have any links ready to point you to, but i'll check my (unsorted) bookmark file later ;) Peace, Tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( If that's what you think then it's best to reinstall these servers with something else because that'll be cheaper than the risk of having them compromised. Reinstallation is not possible now! There are servers running 24h a day. Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
taking a break (was: Bad press related to (missing) Debian security)
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.28.1108 +0200]: > No, he installed Sarge because it was cool back at the time. Yeah so this whole thing has been growing on me a little too much. Sorry for being snappy in the last two posts (to Marek and Alvin). I am going to take the afternoon off. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "everyone has a little secret he keeps, i like the fires when the city sleeps." -- mc 900 ft jesus signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, Matthew Palmer wrote: On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote: On Tue, 28 Jun 2005, martin f krafft wrote: We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! You're complaining to *us* because someone *else* made a decision you don't agree with? No, it was *my* decision! I'm using Debian since 4 years and I like this distribution. And it suprised me that my favourite distro has problems with security. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Tuesday 28 June 2005 11:02, martin f krafft wrote: > > instead of adding to the security team's tasks, and instead of > > writting emails, why don't we spend the time to write some scripts > > to do what we're expecting to be done by the security team ?? > > thanks for the proposal. why did you write it and not just get on > with those scripts already? > > > - yes.. i'm volunteering if there is enough "folks" that want to > > solve security problems and automate security patch releases > > - it's a task for debian-man .. more than what super-man or > > bat-man can do > > people "volunteering" are useless. people actually doing something > are not. Hey! You were being so constructive and positive. Why are you now falling back to old fashioned Debian-like flaming? Before you actually start something in an area like this I think it's perfectly fair to first mail the list and get reactions. Maybe you should take a break and let others get their ideas into this thread. (Not saying that your contribution so far isn't appreciated.) Cheers, FJP pgpsrDknzNXdk.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
also sprach Matthew Palmer <[EMAIL PROTECTED]> [2005.06.28.1104 +0200]: > > Other distros don't have such problems with security. I'm > > complain because I think it was mistake to install Debian Sarge > > on this servers. :-( > > You're complaining to *us* because someone *else* made a decision > you don't agree with? No, he installed Sarge because it was cool back at the time. I do wonder what kind of ISP switches to sarge right after the release... those who need security probably stay with woody just a little longer for all the childhood problems to resolve themselves (read: sarge r1). That said... of course woody is currently also potentially vulnerable. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! fashions have done more harm than revolutions. -- victor hugo signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.1036 +0200]: > >Then don't use it. > > I must use it. Sarge is working on a ISP production servers. I am sorry. The best I can tell you is that it currently looks as if the situation will soon be under control and resolved. And soon is likely to be very soon/this week. > >We are working to fix it. The last thing we need now are people > >complaining and moaning. > > I'm working for many ISP providers. And now I have problems with > security on this servers. What can I do? I can't patch by hand > every bug on many servers! You have to. > Other distros don't have such problems with security. I'm complain > because I think it was mistake to install Debian Sarge on this > servers. :-( If that's what you think then it's best to reinstall these servers with something else because that'll be cheaper than the risk of having them compromised. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! time wounds all heels. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 10:36:34AM +0200, Marek Olejniczak wrote: > On Tue, 28 Jun 2005, martin f krafft wrote: > >We are working to fix it. The last thing we need now are people > >complaining and moaning. > > I'm working for many ISP providers. And now I have problems with security > on this servers. What can I do? I can't patch by hand every bug on many > servers! So don't. Roll security-patched packages and run your own repository. Contribute your changes and experiences back to the BTS. Hell, start an alternative security updates archive. > Other distros don't have such problems with security. I'm complain > because I think it was mistake to install Debian Sarge on this > servers. :-( You're complaining to *us* because someone *else* made a decision you don't agree with? - Matt signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga <[EMAIL PROTECTED]> [2005.06.28.1031 +0200]: > lots of people have their own requiremetns for security ... security *is* subjective. > instead of adding to the security team's tasks, and instead of > writting emails, why don't we spend the time to write some scripts > to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? > - yes.. i'm volunteering if there is enough "folks" that want to > solve security problems and automate security patch releases > - it's a task for debian-man .. more than what super-man or > bat-man can do people "volunteering" are useless. people actually doing something are not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! a bachelor is a man who never made the same mistake once. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, 28 Jun 2005, martin f krafft wrote: also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.0854 +0200]: Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. Then don't use it. I must use it. Sarge is working on a ISP production servers. We are working to fix it. The last thing we need now are people complaining and moaning. I'm working for many ISP providers. And now I have problems with security on this servers. What can I do? I can't patch by hand every bug on many servers! Other distros don't have such problems with security. I'm complain because I think it was mistake to install Debian Sarge on this servers. :-( --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
hi ya On Tue, 28 Jun 2005, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: lots of people have their own requiremetns for security ... instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? - the security tasks are not that hard to implement but does require time and some fore thought - more importantly the testing prior to release of pacjkages should be 100% automated ... so that any volunteer can run the regression test suites prior to releasing patches - there is NOT one "right security solution" but there will be many possible solutions - yes.. i'm volunteering if there is enough "folks" that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do c ya alvin
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 06:44:06PM -0400, Michael Stone wrote: > On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote: > >Do you guys see this as a de facto state with no solution, or is > >a good solution simply waiting to be found? > > The security secretaries were originally going to be part of the > solution, and there was talk from some people about writing a tracking > system that didn't materialize. Mostly I think it just needs > recognition that it's a problem that needs a solution. When I approached the security team last year I was told that there was indeed a tracking system, it just could not be made public because it mixed both publicly known vulnerabilities (i.e. those other's have released advisories on) and non-public vulns (i.e. those discussed in vendor-sec or reported privately). Regards Javier signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.28.0854 +0200]: > For me "stable distribution" means "secure". Is now Sarge secure? > No, it isn't! Most installations are secure. I know security is a delicate topic, but there is no point in polemic exaggeration. > Four weeks after new release of Debian, Get your facts straight. > Sarge has many security holes in packages and kernel, and some of > this holes are critical. In my opinion Sarge isn't stable > distribution now, it's dangerous distribution. Then don't use it. We are working to fix it. The last thing we need now are people complaining and moaning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "it always takes longer than you expect, even when you take into account hofstadter's law." -- douglas hofstadter signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Moritz Muehlenhoff <[EMAIL PROTECTED]> [2005.06.28.0156 +0200]: > Have a look at the system we use for the testing security team (I > always thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically > made through svn log messages. Not meaning to disspell it, but isn't this essentially a bug tracking system or ticket system done slightly differently? What I think Debian (as a whole) needs is an improved issue tracker with the following features: - single-bug subscription, through association with the bug (like bugzilla) - ability to set a bug as private, meaning that only associated people can view it or even find out about its existence. add to that some automated way to open tickets for new CVEs and you have a team todo list. I know that this is not really what you guys want to hear and it's probably best to adopt testing-security's approach for stable-security. However, I am considering devoting more of my time to this stuff in the future, and such a system would be needed for some of the innovative approaches I have in mind. Thus, I'd love to hear opinions. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! DISCLAIMER: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote: I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? Seems that you don't understand the philosophy of the 'stable' release either. The basic rule for stable is: "no new upstream versions allowed". This means security updates for spamassassin need to be backported to 3.0.3 (excluding any functional changes). Even if 3.0.4 contains only the security fix, it will still be backported and released as 3.0.3-1sarge1 or something like that. For me "stable distribution" means "secure". Is now Sarge secure? No, it isn't! Four weeks after new release of Debian, Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote: > Have a look at the system we use for the testing security team (I always > thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically made > through svn log messages. > > A similar way would be very nice for stable security support as well. Interesting; I didn't know about this. I suggested to Joey Hess that stable and testing security work should be done by a single security team; one of the benefits of this would be convergence on better tools. > The whole embargo thing about stable security is overrated anyway; as far > as I can see it for May and June only mailutils, qpopper and ppxp were > embargoed, so that they hadn't been publicly known when the DSA was > published (and even for mailutils and qpopper there was a small time frame > of 1-2 days between first vendor fix and the DSA). The majority of all > issues could be handled a lot more transparent, IMO. Yes, non-embargoed issues could be handled more transparently. The best way to deal with non-embargoed issues, of course, is for the package maintainer to prepare an update and send it to the security team. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 01:29:12AM +0200, martin f krafft wrote: So if we all recognise it as a problem, it will solve itself? Nothing's useful if people won't use it. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
In gmane.linux.debian.devel.security, you wrote: >>Part of the problem with security updates has to do with the fact that >>it's just difficult to coordinate the work. Even when Wichert, mdz, and >>others were more active, Joey still did most of the work because it was >>often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done. Have a look at the system we use for the testing security team (I always thought it originated in the security team): http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html This system is so efficient that most communication is basically made through svn log messages. A similar way would be very nice for stable security support as well. The whole embargo thing about stable security is overrated anyway; as far as I can see it for May and June only mailutils, qpopper and ppxp were embargoed, so that they hadn't been publicly known when the DSA was published (and even for mailutils and qpopper there was a small time frame of 1-2 days between first vendor fix and the DSA). The majority of all issues could be handled a lot more transparent, IMO. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.28.0044 +0200]: > The security secretaries were originally going to be part of the > solution, and there was talk from some people about writing > a tracking system that didn't materialize. Mostly I think it just > needs recognition that it's a problem that needs a solution. So if we all recognise it as a problem, it will solve itself? Wouldn't a ticket system (possibly request-tracker3) be helpful here? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "the word yellow wandered through his mind in search of something to connect with." -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote: Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? The security secretaries were originally going to be part of the solution, and there was talk from some people about writing a tracking system that didn't materialize. Mostly I think it just needs recognition that it's a problem that needs a solution. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]: > There is a problem with that, namely responsible disclosure. The > team cannot be too big or else the other organisations in the > consortium will object for danger of leakage. > > I think what we do need though is an infrastructure which makes it > easier for people to contribute on public issues. Petter Reinholdtsen added the following over at -project (forwarded with permission) There already exist a larger team monitoring security lists, CVE reports, fixing bugs and helping maintainers fixing bugs etc. It works in public, and accept help for everyone interested in participating. It is the testing security team, http://secure-testing.alioth.debian.org/>. I believe that all people interested in helping out with the security work in Debian should make an effort in this team. This will directly help the security status of Debian unstable and testing (security fixes for testing are normally uploaded into unstable), and indirectly help the stable security team as this team get a list of security issues to track, proposed patches, knowledge about the security issues discovered, and thus less work fixing the publicly known security issues. In addition, it can form a good recruitment base for the stable security team. Those proving themselves in the public work with testing security, will be good candidates for the stable security team. Isn't this a good way to do it? ... nothing to add. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when a gentoo admin tells me that the KISS principle is good for 'busy sysadmins', and that it's not an evolutionary step backwards, i wonder whether their tape is already running backwards." signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
> > That's exactly it. There's no effective tracking of security problems, > > and some people don't see this as a problem. That makes it extremely > > difficult for others to see what needs to be done. > > Do you guys see this as a de facto state with no solution, or is > a good solution simply waiting to be found? FWIW, Gentoo uses bugzilla to track security issues. // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.27.2251 +0200]: > On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > >Part of the problem with security updates has to do with the fact that > >it's just difficult to coordinate the work. Even when Wichert, mdz, and > >others were more active, Joey still did most of the work because it was > >often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done. Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! echo '9,J8HD,[EMAIL PROTECTED]:[EMAIL PROTECTED];[EMAIL PROTECTED]@5GBIELD54DL>@8L?:5GDEJ8LDG1' |\ sed ss,s50EBsg | tr 0-M 'p.wBt SgiIlxmLhan:o,erDsduv/cyP' signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:20PM +0200, Frans Pop wrote: > Even if 3.0.4 contains only the security fix It doesn't, BTW: http://wiki.apache.org/spamassassin/changes304 // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 07:36:50PM +, Paul Hink wrote: > Having one's workstation compromised (e.g. due to some vulnerability of > Mozilla) is a serious thing. There might be confidential data (e.g. > private e-mails) stored on it and in many cases it makes compromising a > server much easier as well (e.g. by logging SSH passwords or stealing > private SSH keys and their passphrases). >From a company/organisation's point of view, this might be almost as serious as getting root. If you're a system administrator, you really don't want people to get root on the machine. If you're the CEO, you're mostly concerned with not letting outsiders read and/or write secret documents, which the users often store in /home/*. Cracking the right workstation might allow an attacker to access all the documents they want. (Something completely different: the Debian Security Audit Project have talked about auditing all of base, to make sure it's reasonably secure. Any volunteers are very welcome, as we're just three active members at the moment.) // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 07:43:50PM +0100, Steve Kemp wrote: In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). Damn near impossible, in the case of mozilla. I trolled several times on debian-security for someone to put something together, and never got a nibble. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: Part of the problem with security updates has to do with the fact that it's just difficult to coordinate the work. Even when Wichert, mdz, and others were more active, Joey still did most of the work because it was often easier for one person to keep track of everything. That's exactly it. There's no effective tracking of security problems, and some people don't see this as a problem. That makes it extremely difficult for others to see what needs to be done. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
Steve Kemp wrote: >On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > > > >>Even allowing uploads from the secretaries could be helpful. >> >> > > Definitely. > > I've got fixed packages available right now for some of the > bugs which have been raised in this thread, but until somebody > can push out the advisories they're just sat around gathering dust. > > I would be very happy if Steven could become a full member of the security team. We need someone there that is responsive and can do the work. I know that Steven was doing a bit of code reviewing as part of a Debian Security Audit Project (http://www.nl.debian.org/security/audit/). >>Part of the problem with security updates has to do with the fact that >>it's just difficult to coordinate the work. >> >> > > That's probably true, and kinda an argument against suddenly adding > more members too ... > > There should not be major changes, but the structure of the security team should remain current. Inactive members *should* be removed promptly and be replaced by more active members of the Debian Developer community. - Adam signature.asc Description: OpenPGP digital signature
Re: Bad press related to (missing) Debian security
Adam Majer <[EMAIL PROTECTED]> wrote: > Jan Lühr wrote: >> In it's last one to two years Woody was starving out of security >> updates. (Samba, Mozilla, Kernel, etc.). > These are much less of a problem since they deal with either Intranet > only applications (Samba), "Intranet" is not a synonym for "trusted network". > client side applications (mozilla) Having one's workstation compromised (e.g. due to some vulnerability of Mozilla) is a serious thing. There might be confidential data (e.g. private e-mails) stored on it and in many cases it makes compromising a server much easier as well (e.g. by logging SSH passwords or stealing private SSH keys and their passphrases). > or the kernel that one usually rolls their own for their servers. If the kernel images provided by Debian (stable) are to be considered insecure that fact should be stated in clear and simple words where it will most definitely be recognized by all of its users. Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2116 +0200]: > of a "secretary". (though, when trying to do that kind of work, > I've always found that I'm a whole lot better at hacking than I am > at secretarial work; I suspect that's the case with a lot of > developers) Barring that I don't have much experience as a secretary, I would actually have to say that it's the other way around for me. I tend to be good at organisation and correspondence, and while I like to hack, it usually takes too much time for me, since I am a perfectionist. Yeah, uh, so... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i wish this wish not to be granted! -- achilles (hofstadter's geb) signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote: > > The secretary position was originally created to help this > > situation, but it was never really clear to me what my role was > > supposed to be. > > I never understood it either. > > How much information can be disclosed about the inner workings of > the security team without damage? I don't see that the workings of the team itself are particular sensitive, only the actual packages being worked upon. (Responsible disclosure / coordinated releases, etc). A long time ago I wrote a small introduction to how it works, none of it is suprising, and none of it is sensitive in any way that I can see: http://people.debian.org/~skx/team.html Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
> At the same time, though, I think we need to take immediate action. > Among the first steps would be the analysis of the status quo. I am > going through the list of CVEs right now. There are *loads*. And > I could need help. I'll ping out to joeyh to see if we could put his > scripts for testing-security to any use. Ah, thanks to the testing-security team: http://newraff.debian.org/~joeyh/demo.html This list is about testing, but joeyh is adding http://newraff.debian.org/~joeyh/stable-security.html right now. Anyway, note that the situation seems to be under control already and an announcement is under preparation. Therefore I apologise for coming across a little hectical in my post. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when faced with a new problem, the wise algorithmist will first attempt to classify it as np-complete. this will avoid many tears and tantrums as algorithm after algorithm fails." -- g. niruta signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote: > > How much information can be disclosed about the inner workings of > the security team without damage? Most, but not all, of the security team's work is rather routing and very uninteresting. Often it is necessary to review code and verify that it does actually fix a given problem. That can be very difficult, and is often made more difficult by the fact that we're dealing with older and no longer supported upstream versions. Package maintainers are routinely enlisted to help with the process, though, under the assumption that they are more familiar with the code than is the security team. IMHO, the security secretaries should be the ones keeping track of builds and releasing DSAs once all the packages are updated. This doesn't require any particular skill, and is ideally suited to the roll of a "secretary". (though, when trying to do that kind of work, I've always found that I'm a whole lot better at hacking than I am at secretarial work; I suspect that's the case with a lot of developers) noah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Greetings, Am Montag, 27. Juni 2005 20:10 schrieb Adam Majer: > Jan Lühr wrote: > >Greetings, > > > >Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > >>Does anybody know what the actual problem is, i.e. why there are no > >>updates? > > > >This is not an "actual" problem, this problem is rather imho structual. In > >it's last one to two years Woody was starving out of security updates. > >(Samba, Mozilla, Kernel, etc.). > > These are much less of a problem since they deal with either Intranet > only applications (Samba), client side applications (mozilla) or the > kernel that one usually rolls their own for their servers. What I really > care about from Debian security team is up-to-date fixes for server > applications that can be exposed to the Internet. For example, apache, > squid, spamassassin, postfix, sendmail, exim, etc... I'm not refering to exploits / bugs in general. I'm refering to the patch-port-situation in Debian. Keep smiling yanosz
Re: Bad press related to (missing) Debian security
also sprach Frans Pop <[EMAIL PROTECTED]> [2005.06.27.2105 +0200]: > Even if 3.0.4 contains only the security fix, it will still be backported > and released as 3.0.3-1sarge1 or something like that. That's actually not guaranteed. If 3.0.4 contains only the security fix and really nothing else, I see no reason why it cannot be uploaded to security.debian.org. The reason why usually (V-1)-1sarge-1 is chosen for the version number is so that if 3.0.4 is still current by the time the next stable goes out, it will be an upgrade candidate. In this case, the delta would be zero, which would make it nonsensical and unnecessary to change the version number in the first place. Then again, I am not sure about this... just speculating. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "what's your conceptual continuity? -- well, it should be easy to see: the crux of the bisquit is the apopstrophe!" -- frank zappa signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.27.2039 +0200]:
> I don't understand the philosophy of Debian security team. It's
> really so difficult to push into sarge spamassassin 3.0.4 which is
> not vulnerable? This version is in Debian testing and why this
> version can't be push into stable?
It would not be "stable" anymore with respect to software selection.
Here's the paragraph from my book:
\item[\emph{Software feature stability}]~\\
Stability\index{stability!feature} may also refer to the feature
set provided by a software. In this definition, stable software
does not introduce drastic changes or radical new features from
one release to the next. Administrators appreciate feature
stability because it allows them to fix bugs with newer versions
without risking unwanted changes to the behaviour.
This is one of the essential and most important features of Debian
stable.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debianbook.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
this space intentionally left occupied.
signature.asc
Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2036 +0200]: > Part of the problem with security updates has to do with the fact > that it's just difficult to coordinate the work. Even when > Wichert, mdz, and others were more active, Joey still did most of > the work because it was often easier for one person to keep track > of everything. Sounds like an issue of workflow management to me. I want to have a lot of discussions on this topic at debconf anyway, so there's one concrete domain in need of proper CSCW (computer-supported cooperative work). > The secretary position was originally created to help this > situation, but it was never really clear to me what my role was > supposed to be. I never understood it either. How much information can be disclosed about the inner workings of the security team without damage? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i must confess, I was born at a very early age. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote: > I don't understand the philosophy of Debian security team. It's really > so difficult to push into sarge spamassassin 3.0.4 which is not > vulnerable? This version is in Debian testing and why this version > can't be push into stable? Seems that you don't understand the philosophy of the 'stable' release either. The basic rule for stable is: "no new upstream versions allowed". This means security updates for spamassassin need to be backported to 3.0.3 (excluding any functional changes). Even if 3.0.4 contains only the security fix, it will still be backported and released as 3.0.3-1sarge1 or something like that. pgpjMmIClsYLa.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
also sprach Matt Zimmerman <[EMAIL PROTECTED]> [2005.06.27.2026 +0200]: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have > been for some time. I, for one, very much appreciate your directness and prompt answer on this matter, Matt! > The security team has always been a difficult one to expand. > A strong level of trust is necessary due to confidentiality > issues, and security support is a lot of (mostly boring and > thankless) work. However, expanding it seems like the only way to > make it sustainable. Yes. Let me ask you this: what would you deem the ideal size of the team? In the beginning you said 5-7 would be enough. Would you make it bigger if you could? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "'this must be a thursday,' said arthur to himself, sinking low over his beer. 'i never could get the hang of thursdays.'" -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Am Montag, den 27.06.2005, 11:26 -0700 schrieb Matt Zimmerman: > > # Security Team -- <[EMAIL PROTECTED]> > > /member/ Martin Schulze > > /member/ Wichert Akkerman > > /member/ Daniel Jacobowitz > > /member/ Michael Stone > > /member/ Matt Zimmerman > > /secretary/ Noah Meyerhans > > /secretary/ Steve Kemp > the case for this group. Wichert, Daniel, Michael and myself are all de > facto inactive for various reasons, and have been for some time. So they should be removed from the security team to represent the real situation. -- Noèl Köthe signature.asc Description: This is a digitally signed message part
Re: Bad press related to (missing) Debian security
Matt Zimmerman wrote on 27/06/2005 20:26: > On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote: > >>are happy the fix will not mess up current functionality. How many >>people do we need on the actual security team? The current listing states, >> >># Security Team -- <[EMAIL PROTECTED]> >> /member/ Martin Schulze >> /member/ Wichert Akkerman >> /member/ Daniel Jacobowitz >> /member/ Michael Stone >> /member/ Matt Zimmerman >> /secretary/ Noah Meyerhans >> /secretary/ Steve Kemp >> >>Is this enough? > > I expect it would be enough if they were all active, but that has never been > the case for this group. Wichert, Daniel, Michael and myself are all de > facto inactive for various reasons, and have been for some time. So what you are saying is basically: The security team currently is Martin Schulze who has two secretaries (whatever a secretary for the security team might do). > The security team has always been a difficult one to expand. A strong level > of trust is necessary due to confidentiality issues, and security support is > a lot of (mostly boring and thankless) work. Like I said in another mail, the security team should probably consist of two groups (which migt have some intersection). However the level of trust needed to get on the security team shouldn't be so high that only one active member is on the team. Given the size of Debian and the fact that the only remaining active member of the team is overworked due to his many activities in Debian (I thank him for everything he does and did), I would say that at least five new members should be found for the team. > However, expanding it seems like the only way to make it sustainable. Obviously. And I also have to say: If you haven't been active on the team for some time, you should have made that clear on the listing. I really can't understand how you (as a group) could let it get this far. If most of the group is inactive, you should at least find the time to accept some new members into the group (and I know many have offered their help). I understand that there needs to be some level of trust, so you probably should appoint some person you can trust for one reason or another. However, while I see that a high level of trust is needed for access to non-public security lists, I don't see why Debian as a whole should require a substantly higher level of trust for security uploads than for normal uploads. Though I wouldn't want every maintainer to have the ability to directly upload to security.d.o, I wouldn't have a problem assigning an almost random number of them the ability and responsibility to do so. BTW: If he accepted, I would recommend Martin F. Krafft to get on the team. cu, sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: > I don't understand the philosophy of Debian security team. It's really so > difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? > This version is in Debian testing and why this version can't be push into > stable? In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). In this particular case pushing the package itself isn't a hard job - the problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > Even allowing uploads from the secretaries could be helpful. Definitely. I've got fixed packages available right now for some of the bugs which have been raised in this thread, but until somebody can push out the advisories they're just sat around gathering dust. > Part of the problem with security updates has to do with the fact that > it's just difficult to coordinate the work. That's probably true, and kinda an argument against suddenly adding more members too ... > The secretary position was originally created to help this situation, > but it was never really clear to me what my role was supposed to be. I admit the role of the position is also a mystery to me, but one that I've not worried too much about. Reviewing patches and building fixed packages is what I've tried to do - whether that is the intended job of a secretary is largely irrelevent. Other jobs like answering mails from people who say "Help my server is hacked" seem more "secreatrial" in nature, so I've tried to answer those as time and details permit. Steve -- www.steve.org.uk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, 27 Jun 2005, Matt Zimmerman wrote: The security team has always been a difficult one to expand. A strong level of trust is necessary due to confidentiality issues, and security support is a lot of (mostly boring and thankless) work. However, expanding it seems like the only way to make it sustainable. I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 11:26:37AM -0700, Matt Zimmerman wrote: > The security team has always been a difficult one to expand. A strong level > of trust is necessary due to confidentiality issues, and security support is > a lot of (mostly boring and thankless) work. However, expanding it seems > like the only way to make it sustainable. Even allowing uploads from the secretaries could be helpful. Steve Kemp has done a lot of good work in his role as secretary (much more than I've ever done). In cases where Joey is offline for an extended period of time, having Steve or myself perform uploads might make the most sense. We already have some state WRT the current issues, and have all the same patches that Joey has. It's mostly a matter of coordinating releases with other vendors and making sure that the newly released package has the right changes applied and has a sane version number. Part of the problem with security updates has to do with the fact that it's just difficult to coordinate the work. Even when Wichert, mdz, and others were more active, Joey still did most of the work because it was often easier for one person to keep track of everything. The secretary position was originally created to help this situation, but it was never really clear to me what my role was supposed to be. noah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:26, Matt Zimmerman wrote: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have been > for some time. And according to Steve Kemp, the secretaries can't push out updates. Which leaves us with Joey. Maybe it would be a good first step turn the secretaries to full members (if they want that)? But I agree with Martin F. Krafft that the security team should have quite a few more members. Cheers, Stefan pgpQMQthpoaFM.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote: > are happy the fix will not mess up current functionality. How many > people do we need on the actual security team? The current listing states, > > # Security Team -- <[EMAIL PROTECTED]> > /member/ Martin Schulze > /member/ Wichert Akkerman > /member/ Daniel Jacobowitz > /member/ Michael Stone > /member/ Matt Zimmerman > /secretary/ Noah Meyerhans > /secretary/ Steve Kemp > > Is this enough? I expect it would be enough if they were all active, but that has never been the case for this group. Wichert, Daniel, Michael and myself are all de facto inactive for various reasons, and have been for some time. The security team has always been a difficult one to expand. A strong level of trust is necessary due to confidentiality issues, and security support is a lot of (mostly boring and thankless) work. However, expanding it seems like the only way to make it sustainable. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
Jan Lühr wrote: >Greetings, > >Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > > >>Does anybody know what the actual problem is, i.e. why there are no >>updates? >> >> > >This is not an "actual" problem, this problem is rather imho structual. In >it's last one to two years Woody was starving out of security updates. >(Samba, Mozilla, Kernel, etc.). > > These are much less of a problem since they deal with either Intranet only applications (Samba), client side applications (mozilla) or the kernel that one usually rolls their own for their servers. What I really care about from Debian security team is up-to-date fixes for server applications that can be exposed to the Internet. For example, apache, squid, spamassassin, postfix, sendmail, exim, etc... This time around, there has been a remote DoS against spamassassin for quite a while now and no fix. The maintainer of spamassassin fixed the problem next day (backport) and apparently submitted it to the security team (at least that's what I've been told), yet there has been no response whatsoever. IMHO, the entire structure of the security team should probably be overhauled. The maintainers should patch the problems (backport, whatever) and the security team just authorizes the rebuild once they are happy the fix will not mess up current functionality. How many people do we need on the actual security team? The current listing states, # Security Team -- <[EMAIL PROTECTED]> /member/ Martin Schulze /member/ Wichert Akkerman /member/ Daniel Jacobowitz /member/ Michael Stone /member/ Matt Zimmerman /secretary/ Noah Meyerhans /secretary/ Steve Kemp Is this enough? - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Bob Tanner <[EMAIL PROTECTED]> [2005.06.27.1939 +0200]: > How would one go about getting on the security team? Current practice is: you don't. The security team advises you to send notices and patches their way. At any point, they may invite people who have made significant contributions to join their ranks. I don't know more details and would love to find out. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "people don't want a president to say 'never'. using violence is never the first choice of the president". -- george w. bush signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
[cc'ing -project] also sprach W. Borgert <[EMAIL PROTECTED]> [2005.06.27.1525 +0200]: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... It was only a question of time. I had asked Joey publicly about this at Linuxtag, so it's likely that this is the reason for the coverage by Heise. While I did not want to push Joey into a corner, it was quite scary to hear him explain that due to his involvement with Linuxtag, he did not even find the time to read his email. This is not to blame Joey (without whom we wouldn't be where we are), but rather a plea for the Debian project to take *immediate* action. If Joey does not have time, security support just comes to a screetching halt. Talk about a bottleneck! Our security team currently consists of five members and two sectretaries. Joey is hopelessly overworked, but he is still doing a marvelous job. I do not know anything about the other members as they do not seem to be very active, neither on IRC nor on the mailing lists. The problem is that access to security.debian.org is restricted. Well, that's a good thing. But it's a problem when it comes to bottleneck situations as in the current case, when Joey is too occupied to handle his tasks as security team leader. I don't blame him at all. Without him, there would probably be far less Linuxtag, and he is after all not committed to spend 24 hours of his days on Debian! But I do wonder: if Joey was busy for two weeks and security.debian.org was not working right, what did the other four members and the two secretaries do? I think we all agree that we cannot go on like this. We need to add a lot of redundancy to the team. And with that, I don't mean the one or two new members Joey promised in his answer to me. With that, I mean that the size of the archive calls for a security team of 20 people or more. Security is a delicate domain since Debian does need to ensure a level of privacy, so calling for complete openness as with other projects won't work. Obviously, we can't just appoint the first 20 to raise their hands. But what we can do is figure out the skills needed to successfully work with the team and ensure Debian's quality. So far, these requirements have been very unclear to me, at least. There have been times when I was very active, monitoring security forums and fixing bugs, but the security team never approached me for help. I do teach security to the professional audience for five years now, so I would actually claim to have at least the necessary foundation upon which I can quickly learn to adapt to the processes of the security team. I am sure I am not the only one. And I am also sure not to be the only one without a clue what to do. In general, my experience has been that [EMAIL PROTECTED] is a black hole, and that offers to help are ignored. Of course, the Debian meritocracy calls for us to just do something to rise the ladder according to our accomplishments, but as with the other obscure domains of the Debian project, which are not open to anyone to just peek at and learn, it's really difficult to do this when it means working as a blind person with a couple of mutes. So at the end of this very long post, I guess I get in line with all the other folks who'd like to have a statement from the other members of the security team about what's going on. At the same time, though, I think we need to take immediate action. Among the first steps would be the analysis of the status quo. I am going through the list of CVEs right now. There are *loads*. And I could need help. I'll ping out to joeyh to see if we could put his scripts for testing-security to any use. As soon as we have a list of issues, everyone involved in security issues should get on the debian-security list (that's what we have) and add references to bug reports, or open new discussion threads. From there, we should try to create fixed packages one after the other and do everything we can to make it as easy as possible for Joey to upload. Once we've come back to normal, we should then see what to do about Thanks for your patience. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "i don't think so," said rene descartes. just then, he vanished. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Bob Tanner wrote: >How would one go about getting on the security team? > >If the entry into the security team is as convoluted as becoming a debian >developer I understand why the security team does not have enough active >members. > > I would assume you need to be a DD before you can join the security team. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 09:53 am, Martin Lohmeier wrote: > time to get s.d.o working --> not enough active member in the security > team. How would one go about getting on the security team? If the entry into the security team is as convoluted as becoming a debian developer I understand why the security team does not have enough active members. -- Bob Tanner <[EMAIL PROTECTED]> | Phone : (952)943-8700 http://www.real-time.com, Minnesota, Linux | Fax : (952)943-8500 Key fingerprint = AB15 0BDF BCDE 4369 5B42 1973 7CF1 A709 2CC1 B288 pgptxifMcaC8O.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
Greetings, Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said: > > On Monday 27 June 2005 15:25, W. Borgert wrote: > > > Just FYI: The well-known German Heise Newsticker (IT related) has an > > > article today with the title "Debian without security update for > > > several weeks": http://www.heise.de/newsticker/meldung/61076 > > > Hm, bad reputation for us... > > > > This was only a question of time .. :( > > Does anybody know what the actual problem is, i.e. why there are no > updates? This is not an "actual" problem, this problem is rather imho structual. In it's last one to two years Woody was starving out of security updates. (Samba, Mozilla, Kernel, etc.). Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carl-Eric Menzel wrote: > Does anybody know what the actual problem is, i.e. why there are no > updates? > > Carl-Eric > > Hi, problem: http://www.infodrom.org/~joey/log/?200506142140 In the discussion on the heise.de article people mentioned [1] the security "team" (Martin Schulze) has been at LinuxTag and so he had no time to get s.d.o working --> not enough active member in the security team. by, Martin [1] http://www.heise.de/security/news/foren/go.shtml?read=1&msg_id=8278429&forum_id=80872 - -- Powered by Debian GNU / Linux -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwBLaOvJj+wS6JuIRAsZfAKCr9I3rZFlBaMpEwyDwfKx/5zluPgCeIOwU yFaIN8GQKSSzjn9GNJLnLqA= =tqc0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said: > On Monday 27 June 2005 15:25, W. Borgert wrote: > > Just FYI: The well-known German Heise Newsticker (IT related) has an > > article today with the title "Debian without security update for > > several weeks": http://www.heise.de/newsticker/meldung/61076 > > Hm, bad reputation for us... > > This was only a question of time .. :( Does anybody know what the actual problem is, i.e. why there are no updates? Carl-Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 15:25, W. Borgert wrote: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... This was only a question of time .. :( Regrads, Jan. -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a-- C+++ UL P+ L+++ E- W+++ N+++ o++ K++ w--- O M-- V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ --END GEEK CODE BLOCK-- pgpMVtQmaN7CE.pgp Description: PGP signature
Bad press related to (missing) Debian security
Just FYI: The well-known German Heise Newsticker (IT related) has an article today with the title "Debian without security update for several weeks": http://www.heise.de/newsticker/meldung/61076 Hm, bad reputation for us... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
