Re: [all candidates] Advertising testing and security support
On 2013-03-19 16:52, Jérémy Bobbio wrote: Even if a dedicated team is supposed to care about security in testing [1], the dedicated mailing-list [2] has not seen an announcement since February 2011. Debian Security Advisories don't only comment on the stable for stable -- looking through recent DSAs, most of the time a fix has been ready for testing as well as stable. Dear candidates, do you think it would be wise to advertise `testing` as a usable distribution to our users given that state of affairs? I am already happy to advertise testing to large categories of users, so yes, as long as the reasons to choose this option compared to stable, and reasons to avoid it, are made clear. Are you only talking about increasing official mention of testing as an option, or do you think that individual people don't feel they are welcome to advertise testing? (If so, why do you think they don't?) Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? From our current starting point, I don't see that encouraging more use of testing would be likely to harm stable security support. I am slightly worried that if we had a popular rolling release different from current testing it might indirectly harm the quality of the stable releases, but I still wouldn't see that as a reason to try to discourage people working on things they want. Do you have ideas on how to attract more volunteers to the dull, hard, and sometimes boring tasks of taking care of security issues in Debian? It's not clear to me why you seem to think that dealing with security issues is more dull/boring than general package maintenance! Locating security issues may sometimes be challenging, but can be quite fun; the prospect of early access to embargoed information can attract some people; and working across the whole distribution should be more varied/interesting than working on individual packages. Perhaps part of the way to attract more people could be to look for them while emphasising these positive aspects? I equally don't think we should assume that something being hard will in itself discourage volunteers. In practical terms I don't see any difference from how to get more volunteers for anything in Debian: those currently involved and others interested in the topic should provide clear documentation (including e.g. wiki pages with current status and things people could work on), advertise what's happening and the desire for volunteers on the mailing lists, and reach out to people working on related topics for ideas and possible direct help. -- Moray -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1d80ba81653598f2605978ba173c1...@www.morayallan.com
Re: [all candidates] Advertising testing and security support
Jérémy Bobbio lu...@debian.org writes: Dear candidates, do you think it would be wise to advertise `testing` as a usable distribution to our users given that state of affairs? Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? First of all, our security team is doing an excellent job, considering the amount of work required and how few people they are, their response time and the quality of work they do is very high. Could it be improved? Yes, of course. With enough manpower at our disposal, we could pro-actively search for and find security issues! But we're nowhere near that, nor should we be, I believe. As for advertising testing: for some uses, we should, yes. But without security updates managed by the security team, those uses are fairly limited, and the consequences must be kept in mind. This makes it hard to make a good case for testing. If we'd have enough manpower to handle security updates for testing aswell (either via unstable, or through other channels), that would help tremendously. Not only our users, but our maintainers would have it slightly easier too. Therefore, I find it a commendable task to encourage volunteers to work on security support (be that for stable, testing or otherwise). Do you have ideas on how to attract more volunteers to the dull, hard, and sometimes boring tasks of taking care of security issues in Debian? Realizing that the task is neither dull nor boring would be one step. It is hard quite often, though. I do have a couple of ideas (shamelessly borrowed from my former boss, who convinced me to work at the support department instead of development), but these may present more problems than what it solves, at least initially. You see, preparing security releases is a complicated task, one that requires a good knowledge in a number of areas: packaging, security, a multitude of languages, upgrade paths, and so on and so forth. It requires a particularly diverse set of skill. That is also that makes it so very interesting (even entertaining, in some respects). There aren't many people who have the diverse knowledge required, and even less who are willing to sacrifice their time to do work that's mostly invisible. To attract more people for the task, we first need to recognise the importance of it, we need to be *proud* of the people who are already doing it. And then, we can encourage volunteers to help out, and existing members to mentor them. One of the hardest parts is this, the mentoring part (due to time constraints and an already high load, just to name two issues), but perhaps we could persuade former members of the security team to take on this role? If one can learn a lot about software and security, when there's someone else to mentor, that makes it - in my experience - a lot more appealing to volunteer, than being thrown into high waters, and hoping one can swim. Having a very, very diverse set of skills can also help one at his or her day job (it certainly helped me), so being part of the security team is easily a good way to further advance one's own career. -- |8] -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878v5e9wh1@galadriel.madhouse-project.org
Re: [all candidates] Advertising testing and security support
Arno Töll: On 19.03.2013 23:52, Jérémy Bobbio wrote: Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? With due to respect, I disagree. From a user's perspective who occasionally interacts with the security team, I beg to differ. The security team does a great job, and their work is reliable, trustworthy and mostly invisible (which is what it should be, nobody wants to deal with conflicting/problematic upgrades during a security update). Of course, everything could always be improved - for example I'd like to have longer stable support cycles - but given the limited and restricted manpower, the result is great. I find your remaining judgment of the security team rather insulting than an opening of a discussion which is by no means constructive. This was very ill-worded. Please accept my apologies if I have offended anyone. Feel free to take the banjos out if you need compensation. The security team is doing an amazing and fabulous job. Huge kudos to Yves-Alexis, Dann, Florian, Raphael, Giuseppe, Moritz, Martin, Luciano, Luk, Nico, Stefan, Thijs. One of the team great achievements is to tirelessly track which issues are affecting Debian. And according to the tracker, there's close to 100 packages with open issues in stable at the moment: https://security-tracker.debian.org/tracker/status/release/stable. That is what I was referring to. The Debian archive is amazingly large so that is to be expected. Security issues are not the sole responsability of the security team: maintainers sometimes also have a hard time backporting fixes to a two year old code base. Given the stable security level could probably be enhanced with some more brains, I was wondering about the security aspect of the testing as rolling plans. Again, truly sorry if anyone felt disheartened by my previous message. -- Jérémy Bobbio.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature
Re: [all candidates] Advertising testing and security support
On 19/03/13 at 23:52 +0100, Jérémy Bobbio wrote: Hi! Lucas wrote in his plateform: For example, we have been providing a fairly good rolling release for almost 13 years with testing, but we totally fail at advertising it as something supported and usable by end users. Even if a dedicated team is supposed to care about security in testing [1], the dedicated mailing-list [2] has not seen an announcement since February 2011. Dear candidates, do you think it would be wise to advertise `testing` as a usable distribution to our users given that state of affairs? Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? Do you have ideas on how to attract more volunteers to the dull, hard, and sometimes boring tasks of taking care of security issues in Debian? First, having security support for testing with the same (high :) ) quality as for stable would be great, of course. But I don't think that this is a prerequisite for advertising testing as a rolling release. - We would need to state clearly how security support for testing happens (mostly through unstable, etc.) - We could discourage the use of 'testing' on multi-user systems or Internet servers. it's quite likely that the main use of testing will be desktops/laptops anyway. Note that some successful distros have more restricted/focused security support: - (AFAIK) the Ubuntu Security team only issues updates for packages in the 'main' component. the 'universe' component is (supposed to?) be supported by the community. - (AFAIK) Linux Mint relies on Ubuntu's security support Finally, I think that it's a chicken and egg problem, too: if we advertise testing as a recommended alternative for users, it is more likely that people will be interested in helping with its security support. Lucas -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130323165401.gb8...@xanadu.blop.info
Re: [all candidates] Advertising testing and security support
On 19.03.2013 23:52, Jérémy Bobbio wrote: Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? With due to respect, I disagree. From a user's perspective who occasionally interacts with the security team, I beg to differ. The security team does a great job, and their work is reliable, trustworthy and mostly invisible (which is what it should be, nobody wants to deal with conflicting/problematic upgrades during a security update). Of course, everything could always be improved - for example I'd like to have longer stable support cycles - but given the limited and restricted manpower, the result is great. I find your remaining judgment of the security team rather insulting than an opening of a discussion which is by no means constructive. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Re: [all candidates] Advertising testing and security support
On Tue, March 19, 2013 23:52, Jérémy Bobbio wrote: Do you have ideas on how to attract more volunteers to the dull, hard, and sometimes boring tasks of taking care of security issues in Debian? Perhaps it would be useful if we tried not to scare people away with mischaracterizations that the work would be dull, hard or boring, or even all those at the same time. Thijs -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/66898070506be3c77db51de77c85237f.squir...@aphrodite.kinkhorst.nl
[all candidates] Advertising testing and security support
Hi! Lucas wrote in his plateform: For example, we have been providing a fairly good rolling release for almost 13 years with testing, but we totally fail at advertising it as something supported and usable by end users. Even if a dedicated team is supposed to care about security in testing [1], the dedicated mailing-list [2] has not seen an announcement since February 2011. Dear candidates, do you think it would be wise to advertise `testing` as a usable distribution to our users given that state of affairs? Given that our security support for stable is already not as best as it could be, do you think we should encourage volunteers to be more active in security support for testing? Do you have ideas on how to attract more volunteers to the dull, hard, and sometimes boring tasks of taking care of security issues in Debian? [1] http://testing-security.debian.net/ [2] http://lists.debian.org/debian-testing-security-announce/ Thanks for your answers. :) -- Jérémy Bobbio.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature