Re: Bad press related to (missing) Debian security
also sprach Moritz Muehlenhoff <[EMAIL PROTECTED]> [2005.06.28.0156 +0200]: > Have a look at the system we use for the testing security team (I > always thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically > made through svn log messages. Not meaning to disspell it, but isn't this essentially a bug tracking system or ticket system done slightly differently? What I think Debian (as a whole) needs is an improved issue tracker with the following features: - single-bug subscription, through association with the bug (like bugzilla) - ability to set a bug as private, meaning that only associated people can view it or even find out about its existence. add to that some automated way to open tickets for new CVEs and you have a team todo list. I know that this is not really what you guys want to hear and it's probably best to adopt testing-security's approach for stable-security. However, I am considering devoting more of my time to this stuff in the future, and such a system would be needed for some of the innovative approaches I have in mind. Thus, I'd love to hear opinions. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! DISCLAIMER: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote: I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? Seems that you don't understand the philosophy of the 'stable' release either. The basic rule for stable is: "no new upstream versions allowed". This means security updates for spamassassin need to be backported to 3.0.3 (excluding any functional changes). Even if 3.0.4 contains only the security fix, it will still be backported and released as 3.0.3-1sarge1 or something like that. For me "stable distribution" means "secure". Is now Sarge secure? No, it isn't! Four weeks after new release of Debian, Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution. --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Rolex is not for everyone, it`s for you Faustino
REPLICASONLINE - WE NEVER COMPROMISE ON QUALITY Rolex replica is our speciality We guarantee lowest prices and highest quality We are the Direct manufacturers. For top quality rolex watchs pleas visit: http://www.chooseyourwatch4u.net tidbit nk thiocyanate ifv [2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote: > Have a look at the system we use for the testing security team (I always > thought it originated in the security team): > http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html > > This system is so efficient that most communication is basically made > through svn log messages. > > A similar way would be very nice for stable security support as well. Interesting; I didn't know about this. I suggested to Joey Hess that stable and testing security work should be done by a single security team; one of the benefits of this would be convergence on better tools. > The whole embargo thing about stable security is overrated anyway; as far > as I can see it for May and June only mailutils, qpopper and ppxp were > embargoed, so that they hadn't been publicly known when the DSA was > published (and even for mailutils and qpopper there was a small time frame > of 1-2 days between first vendor fix and the DSA). The majority of all > issues could be handled a lot more transparent, IMO. Yes, non-embargoed issues could be handled more transparently. The best way to deal with non-embargoed issues, of course, is for the package maintainer to prepare an update and send it to the security team. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 01:29:12AM +0200, martin f krafft wrote: So if we all recognise it as a problem, it will solve itself? Nothing's useful if people won't use it. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
In gmane.linux.debian.devel.security, you wrote: >>Part of the problem with security updates has to do with the fact that >>it's just difficult to coordinate the work. Even when Wichert, mdz, and >>others were more active, Joey still did most of the work because it was >>often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done. Have a look at the system we use for the testing security team (I always thought it originated in the security team): http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html This system is so efficient that most communication is basically made through svn log messages. A similar way would be very nice for stable security support as well. The whole embargo thing about stable security is overrated anyway; as far as I can see it for May and June only mailutils, qpopper and ppxp were embargoed, so that they hadn't been publicly known when the DSA was published (and even for mailutils and qpopper there was a small time frame of 1-2 days between first vendor fix and the DSA). The majority of all issues could be handled a lot more transparent, IMO. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.28.0044 +0200]: > The security secretaries were originally going to be part of the > solution, and there was talk from some people about writing > a tracking system that didn't materialize. Mostly I think it just > needs recognition that it's a problem that needs a solution. So if we all recognise it as a problem, it will solve itself? Wouldn't a ticket system (possibly request-tracker3) be helpful here? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "the word yellow wandered through his mind in search of something to connect with." -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote: Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? The security secretaries were originally going to be part of the solution, and there was talk from some people about writing a tracking system that didn't materialize. Mostly I think it just needs recognition that it's a problem that needs a solution. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian security archive/updates b0rken???
Am Sonntag, 19. Juni 2005 08:45 schrieb Steve Langasek: > On Sun, Jun 19, 2005 at 12:31:23AM -0400, sean finney wrote: > > please excuse this blatant cross-posting, i wouldn't do it if i didn't > > think it were critical that i do so... > > > > http://www.infodrom.org/~joey/log/?200506142140 > > > > say it isn't so! > > It isn't so. ... one of the largest German IT News Sites today claims otherwise: http://www.heise.de/newsticker/meldung/61076 Headline translates to "Debian without security updates for several weeks now". I did not follow up on the current status of stable security, but in any case we should send them a response. I volunteer to translate an answer from English to German and send it to Heise. Regards, Sebastian -- PGP-Key: http://www.mmweg.rwth-aachen.de/~sebastian.ley/public.key Fingerprint: A46A 753F AEDC 2C01 BE6E F6DB 97E0 3309 9FD6 E3E6 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]: > There is a problem with that, namely responsible disclosure. The > team cannot be too big or else the other organisations in the > consortium will object for danger of leakage. > > I think what we do need though is an infrastructure which makes it > easier for people to contribute on public issues. Petter Reinholdtsen added the following over at -project (forwarded with permission) There already exist a larger team monitoring security lists, CVE reports, fixing bugs and helping maintainers fixing bugs etc. It works in public, and accept help for everyone interested in participating. It is the testing security team, http://secure-testing.alioth.debian.org/>. I believe that all people interested in helping out with the security work in Debian should make an effort in this team. This will directly help the security status of Debian unstable and testing (security fixes for testing are normally uploaded into unstable), and indirectly help the stable security team as this team get a list of security issues to track, proposed patches, knowledge about the security issues discovered, and thus less work fixing the publicly known security issues. In addition, it can form a good recruitment base for the stable security team. Those proving themselves in the public work with testing security, will be good candidates for the stable security team. Isn't this a good way to do it? ... nothing to add. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when a gentoo admin tells me that the KISS principle is good for 'busy sysadmins', and that it's not an evolutionary step backwards, i wonder whether their tape is already running backwards." signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
> > That's exactly it. There's no effective tracking of security problems, > > and some people don't see this as a problem. That makes it extremely > > difficult for others to see what needs to be done. > > Do you guys see this as a de facto state with no solution, or is > a good solution simply waiting to be found? FWIW, Gentoo uses bugzilla to track security issues. // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.27.2251 +0200]: > On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > >Part of the problem with security updates has to do with the fact that > >it's just difficult to coordinate the work. Even when Wichert, mdz, and > >others were more active, Joey still did most of the work because it was > >often easier for one person to keep track of everything. > > That's exactly it. There's no effective tracking of security problems, > and some people don't see this as a problem. That makes it extremely > difficult for others to see what needs to be done. Do you guys see this as a de facto state with no solution, or is a good solution simply waiting to be found? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! echo '9,J8HD,[EMAIL PROTECTED]:[EMAIL PROTECTED];[EMAIL PROTECTED]@5GBIELD54DL>@8L?:5GDEJ8LDG1' |\ sed ss,s50EBsg | tr 0-M 'p.wBt SgiIlxmLhan:o,erDsduv/cyP' signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:20PM +0200, Frans Pop wrote: > Even if 3.0.4 contains only the security fix It doesn't, BTW: http://wiki.apache.org/spamassassin/changes304 // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 07:36:50PM +, Paul Hink wrote: > Having one's workstation compromised (e.g. due to some vulnerability of > Mozilla) is a serious thing. There might be confidential data (e.g. > private e-mails) stored on it and in many cases it makes compromising a > server much easier as well (e.g. by logging SSH passwords or stealing > private SSH keys and their passphrases). >From a company/organisation's point of view, this might be almost as serious as getting root. If you're a system administrator, you really don't want people to get root on the machine. If you're the CEO, you're mostly concerned with not letting outsiders read and/or write secret documents, which the users often store in /home/*. Cracking the right workstation might allow an attacker to access all the documents they want. (Something completely different: the Debian Security Audit Project have talked about auditing all of base, to make sure it's reasonably secure. Any volunteers are very welcome, as we're just three active members at the moment.) // Ulf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 07:43:50PM +0100, Steve Kemp wrote: In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). Damn near impossible, in the case of mozilla. I trolled several times on debian-security for someone to put something together, and never got a nibble. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: Part of the problem with security updates has to do with the fact that it's just difficult to coordinate the work. Even when Wichert, mdz, and others were more active, Joey still did most of the work because it was often easier for one person to keep track of everything. That's exactly it. There's no effective tracking of security problems, and some people don't see this as a problem. That makes it extremely difficult for others to see what needs to be done. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
Steve Kemp wrote: >On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > > > >>Even allowing uploads from the secretaries could be helpful. >> >> > > Definitely. > > I've got fixed packages available right now for some of the > bugs which have been raised in this thread, but until somebody > can push out the advisories they're just sat around gathering dust. > > I would be very happy if Steven could become a full member of the security team. We need someone there that is responsive and can do the work. I know that Steven was doing a bit of code reviewing as part of a Debian Security Audit Project (http://www.nl.debian.org/security/audit/). >>Part of the problem with security updates has to do with the fact that >>it's just difficult to coordinate the work. >> >> > > That's probably true, and kinda an argument against suddenly adding > more members too ... > > There should not be major changes, but the structure of the security team should remain current. Inactive members *should* be removed promptly and be replaced by more active members of the Debian Developer community. - Adam signature.asc Description: OpenPGP digital signature
Re: Bad press related to (missing) Debian security
Adam Majer <[EMAIL PROTECTED]> wrote: > Jan Lühr wrote: >> In it's last one to two years Woody was starving out of security >> updates. (Samba, Mozilla, Kernel, etc.). > These are much less of a problem since they deal with either Intranet > only applications (Samba), "Intranet" is not a synonym for "trusted network". > client side applications (mozilla) Having one's workstation compromised (e.g. due to some vulnerability of Mozilla) is a serious thing. There might be confidential data (e.g. private e-mails) stored on it and in many cases it makes compromising a server much easier as well (e.g. by logging SSH passwords or stealing private SSH keys and their passphrases). > or the kernel that one usually rolls their own for their servers. If the kernel images provided by Debian (stable) are to be considered insecure that fact should be stated in clear and simple words where it will most definitely be recognized by all of its users. Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2116 +0200]: > of a "secretary". (though, when trying to do that kind of work, > I've always found that I'm a whole lot better at hacking than I am > at secretarial work; I suspect that's the case with a lot of > developers) Barring that I don't have much experience as a secretary, I would actually have to say that it's the other way around for me. I tend to be good at organisation and correspondence, and while I like to hack, it usually takes too much time for me, since I am a perfectionist. Yeah, uh, so... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i wish this wish not to be granted! -- achilles (hofstadter's geb) signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote: > > The secretary position was originally created to help this > > situation, but it was never really clear to me what my role was > > supposed to be. > > I never understood it either. > > How much information can be disclosed about the inner workings of > the security team without damage? I don't see that the workings of the team itself are particular sensitive, only the actual packages being worked upon. (Responsible disclosure / coordinated releases, etc). A long time ago I wrote a small introduction to how it works, none of it is suprising, and none of it is sensitive in any way that I can see: http://people.debian.org/~skx/team.html Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
> At the same time, though, I think we need to take immediate action. > Among the first steps would be the analysis of the status quo. I am > going through the list of CVEs right now. There are *loads*. And > I could need help. I'll ping out to joeyh to see if we could put his > scripts for testing-security to any use. Ah, thanks to the testing-security team: http://newraff.debian.org/~joeyh/demo.html This list is about testing, but joeyh is adding http://newraff.debian.org/~joeyh/stable-security.html right now. Anyway, note that the situation seems to be under control already and an announcement is under preparation. Therefore I apologise for coming across a little hectical in my post. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "when faced with a new problem, the wise algorithmist will first attempt to classify it as np-complete. this will avoid many tears and tantrums as algorithm after algorithm fails." -- g. niruta signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote: > > How much information can be disclosed about the inner workings of > the security team without damage? Most, but not all, of the security team's work is rather routing and very uninteresting. Often it is necessary to review code and verify that it does actually fix a given problem. That can be very difficult, and is often made more difficult by the fact that we're dealing with older and no longer supported upstream versions. Package maintainers are routinely enlisted to help with the process, though, under the assumption that they are more familiar with the code than is the security team. IMHO, the security secretaries should be the ones keeping track of builds and releasing DSAs once all the packages are updated. This doesn't require any particular skill, and is ideally suited to the roll of a "secretary". (though, when trying to do that kind of work, I've always found that I'm a whole lot better at hacking than I am at secretarial work; I suspect that's the case with a lot of developers) noah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Greetings, Am Montag, 27. Juni 2005 20:10 schrieb Adam Majer: > Jan Lühr wrote: > >Greetings, > > > >Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > >>Does anybody know what the actual problem is, i.e. why there are no > >>updates? > > > >This is not an "actual" problem, this problem is rather imho structual. In > >it's last one to two years Woody was starving out of security updates. > >(Samba, Mozilla, Kernel, etc.). > > These are much less of a problem since they deal with either Intranet > only applications (Samba), client side applications (mozilla) or the > kernel that one usually rolls their own for their servers. What I really > care about from Debian security team is up-to-date fixes for server > applications that can be exposed to the Internet. For example, apache, > squid, spamassassin, postfix, sendmail, exim, etc... I'm not refering to exploits / bugs in general. I'm refering to the patch-port-situation in Debian. Keep smiling yanosz
Re: Bad press related to (missing) Debian security
also sprach Frans Pop <[EMAIL PROTECTED]> [2005.06.27.2105 +0200]: > Even if 3.0.4 contains only the security fix, it will still be backported > and released as 3.0.3-1sarge1 or something like that. That's actually not guaranteed. If 3.0.4 contains only the security fix and really nothing else, I see no reason why it cannot be uploaded to security.debian.org. The reason why usually (V-1)-1sarge-1 is chosen for the version number is so that if 3.0.4 is still current by the time the next stable goes out, it will be an upgrade candidate. In this case, the delta would be zero, which would make it nonsensical and unnecessary to change the version number in the first place. Then again, I am not sure about this... just speculating. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "what's your conceptual continuity? -- well, it should be easy to see: the crux of the bisquit is the apopstrophe!" -- frank zappa signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.27.2039 +0200]: > I don't understand the philosophy of Debian security team. It's > really so difficult to push into sarge spamassassin 3.0.4 which is > not vulnerable? This version is in Debian testing and why this > version can't be push into stable? It would not be "stable" anymore with respect to software selection. Here's the paragraph from my book: \item[\emph{Software feature stability}]~\\ Stability\index{stability!feature} may also refer to the feature set provided by a software. In this definition, stable software does not introduce drastic changes or radical new features from one release to the next. Administrators appreciate feature stability because it allows them to fix bugs with newer versions without risking unwanted changes to the behaviour. This is one of the essential and most important features of Debian stable. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! this space intentionally left occupied. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2036 +0200]: > Part of the problem with security updates has to do with the fact > that it's just difficult to coordinate the work. Even when > Wichert, mdz, and others were more active, Joey still did most of > the work because it was often easier for one person to keep track > of everything. Sounds like an issue of workflow management to me. I want to have a lot of discussions on this topic at debconf anyway, so there's one concrete domain in need of proper CSCW (computer-supported cooperative work). > The secretary position was originally created to help this > situation, but it was never really clear to me what my role was > supposed to be. I never understood it either. How much information can be disclosed about the inner workings of the security team without damage? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! i must confess, I was born at a very early age. -- groucho marx signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote: > I don't understand the philosophy of Debian security team. It's really > so difficult to push into sarge spamassassin 3.0.4 which is not > vulnerable? This version is in Debian testing and why this version > can't be push into stable? Seems that you don't understand the philosophy of the 'stable' release either. The basic rule for stable is: "no new upstream versions allowed". This means security updates for spamassassin need to be backported to 3.0.3 (excluding any functional changes). Even if 3.0.4 contains only the security fix, it will still be backported and released as 3.0.3-1sarge1 or something like that. pgpjMmIClsYLa.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
also sprach Matt Zimmerman <[EMAIL PROTECTED]> [2005.06.27.2026 +0200]: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have > been for some time. I, for one, very much appreciate your directness and prompt answer on this matter, Matt! > The security team has always been a difficult one to expand. > A strong level of trust is necessary due to confidentiality > issues, and security support is a lot of (mostly boring and > thankless) work. However, expanding it seems like the only way to > make it sustainable. Yes. Let me ask you this: what would you deem the ideal size of the team? In the beginning you said 5-7 would be enough. Would you make it bigger if you could? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "'this must be a thursday,' said arthur to himself, sinking low over his beer. 'i never could get the hang of thursdays.'" -- hitchhiker's guide to the galaxy signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Am Montag, den 27.06.2005, 11:26 -0700 schrieb Matt Zimmerman: > > # Security Team -- <[EMAIL PROTECTED]> > > /member/ Martin Schulze > > /member/ Wichert Akkerman > > /member/ Daniel Jacobowitz > > /member/ Michael Stone > > /member/ Matt Zimmerman > > /secretary/ Noah Meyerhans > > /secretary/ Steve Kemp > the case for this group. Wichert, Daniel, Michael and myself are all de > facto inactive for various reasons, and have been for some time. So they should be removed from the security team to represent the real situation. -- Noèl Köthe signature.asc Description: This is a digitally signed message part
Re: Bad press related to (missing) Debian security
Matt Zimmerman wrote on 27/06/2005 20:26: > On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote: > >>are happy the fix will not mess up current functionality. How many >>people do we need on the actual security team? The current listing states, >> >># Security Team -- <[EMAIL PROTECTED]> >> /member/ Martin Schulze >> /member/ Wichert Akkerman >> /member/ Daniel Jacobowitz >> /member/ Michael Stone >> /member/ Matt Zimmerman >> /secretary/ Noah Meyerhans >> /secretary/ Steve Kemp >> >>Is this enough? > > I expect it would be enough if they were all active, but that has never been > the case for this group. Wichert, Daniel, Michael and myself are all de > facto inactive for various reasons, and have been for some time. So what you are saying is basically: The security team currently is Martin Schulze who has two secretaries (whatever a secretary for the security team might do). > The security team has always been a difficult one to expand. A strong level > of trust is necessary due to confidentiality issues, and security support is > a lot of (mostly boring and thankless) work. Like I said in another mail, the security team should probably consist of two groups (which migt have some intersection). However the level of trust needed to get on the security team shouldn't be so high that only one active member is on the team. Given the size of Debian and the fact that the only remaining active member of the team is overworked due to his many activities in Debian (I thank him for everything he does and did), I would say that at least five new members should be found for the team. > However, expanding it seems like the only way to make it sustainable. Obviously. And I also have to say: If you haven't been active on the team for some time, you should have made that clear on the listing. I really can't understand how you (as a group) could let it get this far. If most of the group is inactive, you should at least find the time to accept some new members into the group (and I know many have offered their help). I understand that there needs to be some level of trust, so you probably should appoint some person you can trust for one reason or another. However, while I see that a high level of trust is needed for access to non-public security lists, I don't see why Debian as a whole should require a substantly higher level of trust for security uploads than for normal uploads. Though I wouldn't want every maintainer to have the ability to directly upload to security.d.o, I wouldn't have a problem assigning an almost random number of them the ability and responsibility to do so. BTW: If he accepted, I would recommend Martin F. Krafft to get on the team. cu, sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote: > I don't understand the philosophy of Debian security team. It's really so > difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? > This version is in Debian testing and why this version can't be push into > stable? In some cases fixing a problem, which an upstream will not, or which the package maintainer cannot is *very* hard work. (eg. Mozilla/ Kernel images). In this particular case pushing the package itself isn't a hard job - the problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote: > Even allowing uploads from the secretaries could be helpful. Definitely. I've got fixed packages available right now for some of the bugs which have been raised in this thread, but until somebody can push out the advisories they're just sat around gathering dust. > Part of the problem with security updates has to do with the fact that > it's just difficult to coordinate the work. That's probably true, and kinda an argument against suddenly adding more members too ... > The secretary position was originally created to help this situation, > but it was never really clear to me what my role was supposed to be. I admit the role of the position is also a mystery to me, but one that I've not worried too much about. Reviewing patches and building fixed packages is what I've tried to do - whether that is the intended job of a secretary is largely irrelevent. Other jobs like answering mails from people who say "Help my server is hacked" seem more "secreatrial" in nature, so I've tried to answer those as time and details permit. Steve -- www.steve.org.uk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, 27 Jun 2005, Matt Zimmerman wrote: The security team has always been a difficult one to expand. A strong level of trust is necessary due to confidentiality issues, and security support is a lot of (mostly boring and thankless) work. However, expanding it seems like the only way to make it sustainable. I don't understand the philosophy of Debian security team. It's really so difficult to push into sarge spamassassin 3.0.4 which is not vulnerable? This version is in Debian testing and why this version can't be push into stable? --- Marek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 11:26:37AM -0700, Matt Zimmerman wrote: > The security team has always been a difficult one to expand. A strong level > of trust is necessary due to confidentiality issues, and security support is > a lot of (mostly boring and thankless) work. However, expanding it seems > like the only way to make it sustainable. Even allowing uploads from the secretaries could be helpful. Steve Kemp has done a lot of good work in his role as secretary (much more than I've ever done). In cases where Joey is offline for an extended period of time, having Steve or myself perform uploads might make the most sense. We already have some state WRT the current issues, and have all the same patches that Joey has. It's mostly a matter of coordinating releases with other vendors and making sure that the newly released package has the right changes applied and has a sane version number. Part of the problem with security updates has to do with the fact that it's just difficult to coordinate the work. Even when Wichert, mdz, and others were more active, Joey still did most of the work because it was often easier for one person to keep track of everything. The secretary position was originally created to help this situation, but it was never really clear to me what my role was supposed to be. noah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:26, Matt Zimmerman wrote: > I expect it would be enough if they were all active, but that has > never been the case for this group. Wichert, Daniel, Michael and > myself are all de facto inactive for various reasons, and have been > for some time. And according to Steve Kemp, the secretaries can't push out updates. Which leaves us with Joey. Maybe it would be a good first step turn the secretaries to full members (if they want that)? But I agree with Martin F. Krafft that the security team should have quite a few more members. Cheers, Stefan pgpQMQthpoaFM.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote: > are happy the fix will not mess up current functionality. How many > people do we need on the actual security team? The current listing states, > > # Security Team -- <[EMAIL PROTECTED]> > /member/ Martin Schulze > /member/ Wichert Akkerman > /member/ Daniel Jacobowitz > /member/ Michael Stone > /member/ Matt Zimmerman > /secretary/ Noah Meyerhans > /secretary/ Steve Kemp > > Is this enough? I expect it would be enough if they were all active, but that has never been the case for this group. Wichert, Daniel, Michael and myself are all de facto inactive for various reasons, and have been for some time. The security team has always been a difficult one to expand. A strong level of trust is necessary due to confidentiality issues, and security support is a lot of (mostly boring and thankless) work. However, expanding it seems like the only way to make it sustainable. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
Jan Lühr wrote: >Greetings, > >Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > > >>Does anybody know what the actual problem is, i.e. why there are no >>updates? >> >> > >This is not an "actual" problem, this problem is rather imho structual. In >it's last one to two years Woody was starving out of security updates. >(Samba, Mozilla, Kernel, etc.). > > These are much less of a problem since they deal with either Intranet only applications (Samba), client side applications (mozilla) or the kernel that one usually rolls their own for their servers. What I really care about from Debian security team is up-to-date fixes for server applications that can be exposed to the Internet. For example, apache, squid, spamassassin, postfix, sendmail, exim, etc... This time around, there has been a remote DoS against spamassassin for quite a while now and no fix. The maintainer of spamassassin fixed the problem next day (backport) and apparently submitted it to the security team (at least that's what I've been told), yet there has been no response whatsoever. IMHO, the entire structure of the security team should probably be overhauled. The maintainers should patch the problems (backport, whatever) and the security team just authorizes the rebuild once they are happy the fix will not mess up current functionality. How many people do we need on the actual security team? The current listing states, # Security Team -- <[EMAIL PROTECTED]> /member/ Martin Schulze /member/ Wichert Akkerman /member/ Daniel Jacobowitz /member/ Michael Stone /member/ Matt Zimmerman /secretary/ Noah Meyerhans /secretary/ Steve Kemp Is this enough? - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
also sprach Bob Tanner <[EMAIL PROTECTED]> [2005.06.27.1939 +0200]: > How would one go about getting on the security team? Current practice is: you don't. The security team advises you to send notices and patches their way. At any point, they may invite people who have made significant contributions to join their ranks. I don't know more details and would love to find out. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer and author: http://debianbook.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "people don't want a president to say 'never'. using violence is never the first choice of the president". -- george w. bush signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
[cc'ing -project] also sprach W. Borgert <[EMAIL PROTECTED]> [2005.06.27.1525 +0200]: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... It was only a question of time. I had asked Joey publicly about this at Linuxtag, so it's likely that this is the reason for the coverage by Heise. While I did not want to push Joey into a corner, it was quite scary to hear him explain that due to his involvement with Linuxtag, he did not even find the time to read his email. This is not to blame Joey (without whom we wouldn't be where we are), but rather a plea for the Debian project to take *immediate* action. If Joey does not have time, security support just comes to a screetching halt. Talk about a bottleneck! Our security team currently consists of five members and two sectretaries. Joey is hopelessly overworked, but he is still doing a marvelous job. I do not know anything about the other members as they do not seem to be very active, neither on IRC nor on the mailing lists. The problem is that access to security.debian.org is restricted. Well, that's a good thing. But it's a problem when it comes to bottleneck situations as in the current case, when Joey is too occupied to handle his tasks as security team leader. I don't blame him at all. Without him, there would probably be far less Linuxtag, and he is after all not committed to spend 24 hours of his days on Debian! But I do wonder: if Joey was busy for two weeks and security.debian.org was not working right, what did the other four members and the two secretaries do? I think we all agree that we cannot go on like this. We need to add a lot of redundancy to the team. And with that, I don't mean the one or two new members Joey promised in his answer to me. With that, I mean that the size of the archive calls for a security team of 20 people or more. Security is a delicate domain since Debian does need to ensure a level of privacy, so calling for complete openness as with other projects won't work. Obviously, we can't just appoint the first 20 to raise their hands. But what we can do is figure out the skills needed to successfully work with the team and ensure Debian's quality. So far, these requirements have been very unclear to me, at least. There have been times when I was very active, monitoring security forums and fixing bugs, but the security team never approached me for help. I do teach security to the professional audience for five years now, so I would actually claim to have at least the necessary foundation upon which I can quickly learn to adapt to the processes of the security team. I am sure I am not the only one. And I am also sure not to be the only one without a clue what to do. In general, my experience has been that [EMAIL PROTECTED] is a black hole, and that offers to help are ignored. Of course, the Debian meritocracy calls for us to just do something to rise the ladder according to our accomplishments, but as with the other obscure domains of the Debian project, which are not open to anyone to just peek at and learn, it's really difficult to do this when it means working as a blind person with a couple of mutes. So at the end of this very long post, I guess I get in line with all the other folks who'd like to have a statement from the other members of the security team about what's going on. At the same time, though, I think we need to take immediate action. Among the first steps would be the analysis of the status quo. I am going through the list of CVEs right now. There are *loads*. And I could need help. I'll ping out to joeyh to see if we could put his scripts for testing-security to any use. As soon as we have a list of issues, everyone involved in security issues should get on the debian-security list (that's what we have) and add references to bug reports, or open new discussion threads. From there, we should try to create fixed packages one after the other and do everything we can to make it as easy as possible for Joey to upload. Once we've come back to normal, we should then see what to do about Thanks for your patience. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! "i don't think so," said rene descartes. just then, he vanished. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security
Bob Tanner wrote: >How would one go about getting on the security team? > >If the entry into the security team is as convoluted as becoming a debian >developer I understand why the security team does not have enough active >members. > > I would assume you need to be a DD before you can join the security team. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 09:53 am, Martin Lohmeier wrote: > time to get s.d.o working --> not enough active member in the security > team. How would one go about getting on the security team? If the entry into the security team is as convoluted as becoming a debian developer I understand why the security team does not have enough active members. -- Bob Tanner <[EMAIL PROTECTED]> | Phone : (952)943-8700 http://www.real-time.com, Minnesota, Linux | Fax : (952)943-8500 Key fingerprint = AB15 0BDF BCDE 4369 5B42 1973 7CF1 A709 2CC1 B288 pgptxifMcaC8O.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security
Greetings, Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel: > On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said: > > On Monday 27 June 2005 15:25, W. Borgert wrote: > > > Just FYI: The well-known German Heise Newsticker (IT related) has an > > > article today with the title "Debian without security update for > > > several weeks": http://www.heise.de/newsticker/meldung/61076 > > > Hm, bad reputation for us... > > > > This was only a question of time .. :( > > Does anybody know what the actual problem is, i.e. why there are no > updates? This is not an "actual" problem, this problem is rather imho structual. In it's last one to two years Woody was starving out of security updates. (Samba, Mozilla, Kernel, etc.). Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carl-Eric Menzel wrote: > Does anybody know what the actual problem is, i.e. why there are no > updates? > > Carl-Eric > > Hi, problem: http://www.infodrom.org/~joey/log/?200506142140 In the discussion on the heise.de article people mentioned [1] the security "team" (Martin Schulze) has been at LinuxTag and so he had no time to get s.d.o working --> not enough active member in the security team. by, Martin [1] http://www.heise.de/security/news/foren/go.shtml?read=1&msg_id=8278429&forum_id=80872 - -- Powered by Debian GNU / Linux -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwBLaOvJj+wS6JuIRAsZfAKCr9I3rZFlBaMpEwyDwfKx/5zluPgCeIOwU yFaIN8GQKSSzjn9GNJLnLqA= =tqc0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said: > On Monday 27 June 2005 15:25, W. Borgert wrote: > > Just FYI: The well-known German Heise Newsticker (IT related) has an > > article today with the title "Debian without security update for > > several weeks": http://www.heise.de/newsticker/meldung/61076 > > Hm, bad reputation for us... > > This was only a question of time .. :( Does anybody know what the actual problem is, i.e. why there are no updates? Carl-Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 15:25, W. Borgert wrote: > Just FYI: The well-known German Heise Newsticker (IT related) has an > article today with the title "Debian without security update for > several weeks": http://www.heise.de/newsticker/meldung/61076 > Hm, bad reputation for us... This was only a question of time .. :( Regrads, Jan. -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a-- C+++ UL P+ L+++ E- W+++ N+++ o++ K++ w--- O M-- V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ --END GEEK CODE BLOCK-- pgpMVtQmaN7CE.pgp Description: PGP signature
Bad press related to (missing) Debian security
Just FYI: The well-known German Heise Newsticker (IT related) has an article today with the title "Debian without security update for several weeks": http://www.heise.de/newsticker/meldung/61076 Hm, bad reputation for us... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]