Re: staging security updates

2016-04-28 Thread Antoine Beaupré 
On 2016-04-28 10:25:23, Moritz Muehlenhoff wrote:
> On Thu, Apr 28, 2016 at 10:03:44AM -0400, Antoine Beaupré wrote:
>> On 2016-04-28 02:54:36, Brian May wrote:
>> > - Created private signed repository for staging my proposed updates for
>> >   testing. https://people.debian.org/~bam/debian/
>> 
>> Could we have a proposed-updates suite for security the same way we have
>> for stable point releases? 
>
> Yes. We've discussed this a a previous security team meeting and I also
> filed a bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817286
>
> Let's discuss implementation details and how to achieve this on this
> bug.

Thanks for the reference, I will followup there.

A.

-- 
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
- Erich Fromm

Re: staging security updates

2016-04-28 Thread Moritz Muehlenhoff 
On Thu, Apr 28, 2016 at 10:03:44AM -0400, Antoine Beaupré wrote:
> On 2016-04-28 02:54:36, Brian May wrote:
> > - Created private signed repository for staging my proposed updates for
> >   testing. https://people.debian.org/~bam/debian/
> 
> Could we have a proposed-updates suite for security the same way we have
> for stable point releases? 

Yes. We've discussed this a a previous security team meeting and I also
filed a bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817286

Let's discuss implementation details and how to achieve this on this
bug.

Cheers,
Moritz

Re: Urgent Card REF#184441

2016-04-28 Thread hilton3514 . 
Where is it
On 21 Apr 2016 23:53, "Notice"  wrote:

> Smile Arif The Address arifbeg...@gmail.com has been Selected  We're
> giving our customers a 500 Morrison's Voucher Gift  FeelingLucky?
> 
>

staging security updates

2016-04-28 Thread Antoine Beaupré 
On 2016-04-28 02:54:36, Brian May wrote:
> - Created private signed repository for staging my proposed updates for
>   testing. https://people.debian.org/~bam/debian/

So I've been thinking about this as well, and this seems to be a
resource we all need and should figure out a way to implement in a
broader scope.

Right now, i also have my own ad-hoc repo on people.debian.org, but I
haven't made the jump of deploying reprepro out there, and before I do
that, I figured it would be nice to discuss with others how best to
implement this collectively.

For me, the requirement is to have an archive where we can publish
non-embargoed security upgrades for broader testing before it migrates
in the regular security suite. Optionally, it could also (reproducibly?)
build the packages for all supported architectures.

I've looked at Debomatic just to get things out the door, but I'm still
waiting for accesses there. Because it's not an official project and
it doesn't bridge with our existing authentication mechanisms, that
doesn't seem to be an option that works well just yet. Plus the suites
are setup weirdly[1] and there and there's no "wheezy" suite.

 [1] 
http://debomatic-amd64.debian.net/debomatic/jessie-backports/dists/jessie-backports/

Could we have a proposed-updates suite for security the same way we have
for stable point releases? I know we generally want to push security
updates out as quickly as possible, but some issues are very public
already and we sometimes lag enough that it doesn't matter that we take
a few more days giving the chance people to test things first. This is
especially relevant with LTS where we generally *are* lagging behind
updates, basically by design.

I know there's a sensitive issue of using Debian infrastructure for
consulting at play here. Maybe we can flip that around and actually
*leverage* LTS sponsors to make something work for Debian as a whole. :)

Is that crazy? Not a new idea? Flamebait? Thanks for any feedback. :)

A.

-- 
In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
- Tom Lehrer

Re: tracking security issues without CVEs

2016-04-28 Thread Paul Wise 
On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote:

> On a related note, does anyone know what happened to OSF and the OSVDB?
> There still seem to be blog updates, but I remember OSVDB having a web
> UI, and the OSF website seems to be down.

They have officially closed the OSVDB site:

https://blog.osvdb.org/2016/04/05/osvdb-fin/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: tracking security issues without CVEs

2016-04-28 Thread Paul Wise 
On Mon, Mar 28, 2016 at 10:34 PM, Andrew Deck wrote:

> On a related note, does anyone know what happened to OSF and the OSVDB?
> There still seem to be blog updates, but I remember OSVDB having a web
> UI, and the OSF website seems to be down.

They have officially closed the OSVDB site:

https://blog.osvdb.org/2016/04/05/osvdb-fin/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

External check

2016-04-28 Thread Raphael Geissert 
CVE-2016-3708: RESERVED
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.