Summary of DebConf5 from the point of view of this team: - I gave my talk about securing testing. Thanks to Micah who demoed working with CAN/list during the talk. The paper for the talk as well as my slides are in svn at <svn+ssh://[EMAIL PROTECTED]/svn/secure-testing/doc/talks/debconf5>. A video of the talk is at <http://dc5video.debian.net/2005-07-12/08-Securing_the_Testing_Distribution-Joey_Hess.mpeg>.
- The talk spurred quite a bit of interest and several congratulations on getting this far, which I want to pass along to the whole team. I got the impression from some people, like Bdale, that they had been waiting for this for a long time and were really pleased to see it happen. I think there's also a (valid) perception that we're doing a great job at comprohensively tracking vulnerabilities but not so good a job at actually fixing them, yet. - There was enough interest for a BOF session with 20 or 30 attendees after the talk. One of the things we discussed there was cooperating more closely with the stable seurity team. But the only member in attendance was Matt Zimmerman, who is currently sorta inactive. - One idea that came up was using this team as the foundation for a "public" security team, and keeping this separate from the vendor-sec stuff handled well enough by the stable team. I pointed out that I couldn't speak for the team about whether we were interested in tracking/dealing with stable security holes (and that I'm not so much interested in it myself). - Ubuntu's security guy, Martin Pitt, was also there, and we also discussed ways to work with Ubuntu. He does more or less the same kind of work we do for tracking vulnerabilities, although he tries to automate the tracking of closed vulns via grepping changelogs with his script, as has been discussed here before. No firm conclusions were reached, and some kind of cooperation should be followed up on. - People did not like the CAN-XXX-XXXX entries during the talk, and were also nonplussed by entries like "dpkg (unfixed)" that didn't have a bug number at the time (dpkg maintainer was in the audience and this was the first he'd heard of the zlib hole affecting dpkg). I hope we can do better at getting bugs filed quickly; this is an especial problem if one team member adds a CAN-XXX-XXXX with an unfixed item and no bug number as it can be hard to figure out what they're referring to then. - Matt Zimmerman gave us some pointers on communicating with Mitre to get CAN numbers. He offered to forward things along to them (he's mdz at debian.org) and get CANs. Also, he's introduced us to Steven Christey at Mitre. Not sure if Steven's email address is publicly available so I won't post it here but I can send it to any member of the team, and when you have a new, generally unknown (ie, just discovered by someone in debian, not on bugtraq) security hole you should be able to mail him and get CAN number assigned quickly. We can also use this to find/get CANs assigned for public holes that just seem to lack CANs, but that is a different process since they have to check for duplicates then; however mailing Steven should still work. This info may not be perfectly accurate, it's just what I recall from what Matt said. - We've gained a new team member, Martin Zobel-Helas. zobel already tracks and deals with security holes for the packages in the volatile archive. - zobel and Andreas Barth currently run Debian's experimental/volatile autobuilding network and they've volenteered to use that network for autobuilding testing security updates on all arches and providing a repo for them. We're still working out the details and setting things up. -- see shy jo
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-commits mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
