[Secure-testing-commits] t-s bits from DebConf5

Joey Hess joeyh at debian.org
Tue Jul 19 14:39:33 UTC 2005 

Summary of DebConf5 from the point of view of this team:

 - I gave my talk about securing testing. Thanks to Micah who demoed
   working with CAN/list during the talk. The paper for the talk as well
   as my slides are in svn at
   <svn+ssh://joeyh@svn.debian.org/svn/secure-testing/doc/talks/debconf5>.
   A video of the talk is at
   <http://dc5video.debian.net/2005-07-12/08-Securing_the_Testing_Distribution-Joey_Hess.mpeg>.

 - The talk spurred quite a bit of interest and several congratulations
   on getting this far, which I want to pass along to the whole team.
   I got the impression from some people, like Bdale, that they had been
   waiting for this for a long time and were really pleased to see it
   happen. I think there's also a (valid) perception that we're doing a
   great job at comprohensively tracking vulnerabilities but not so good a
   job at actually fixing them, yet.

 - There was enough interest for a BOF session with 20 or 30 attendees
   after the talk. One of the things we discussed there was cooperating
   more closely with the stable seurity team. But the only member in
   attendance was Matt Zimmerman, who is currently sorta inactive.
   
 - One idea that came up was using this team as the foundation for a
   "public" security team, and keeping this separate from the vendor-sec
   stuff handled well enough by the stable team. I pointed out that I
   couldn't speak for the team about whether we were interested in
   tracking/dealing with stable security holes (and that I'm not so much
   interested in it myself).

 - Ubuntu's security guy, Martin Pitt, was also there, and we also
   discussed ways to work with Ubuntu. He does more or less the same
   kind of work we do for tracking vulnerabilities, although he tries to
   automate the tracking of closed vulns via grepping changelogs with
   his script, as has been discussed here before. No firm conclusions
   were reached, and some kind of cooperation should be followed up on.

 - People did not like the CAN-XXX-XXXX entries during the talk, and
   were also nonplussed by entries like "dpkg (unfixed)" that didn't
   have a bug number at the time (dpkg maintainer was in the audience
   and this was the first he'd heard of the zlib hole affecting dpkg). I
   hope we can do better at getting bugs filed quickly; this is an
   especial problem if one team member adds a CAN-XXX-XXXX with an
   unfixed item and no bug number as it can be hard to figure out what
   they're referring to then. 

 - Matt Zimmerman gave us some pointers on communicating with Mitre to
   get CAN numbers. He offered to forward things along to them (he's mdz
   at debian.org) and get CANs. Also, he's introduced us to Steven
   Christey at Mitre. Not sure if Steven's email address is publicly
   available so I won't post it here but I can send it to any member of
   the team, and when you have a new, generally unknown (ie, just
   discovered by someone in debian, not on bugtraq) security hole you
   should be able to mail him and get CAN number assigned quickly. We
   can also use this to find/get CANs assigned for public holes that
   just seem to lack CANs, but that is a different process since they
   have to check for duplicates then; however mailing Steven should
   still work. 
   
   This info may not be perfectly accurate, it's just what I recall from
   what Matt said.

 - We've gained a new team member, Martin Zobel-Helas. zobel already
   tracks and deals with security holes for the packages in the volatile
   archive.

 - zobel and Andreas Barth currently run Debian's experimental/volatile
   autobuilding network and they've volenteered to use that network for
   autobuilding testing security updates on all arches and providing a
   repo for them. We're still working out the details and setting things
   up.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20050719/26aa1c4a/attachment.pgp

More information about the Secure-testing-commits mailing list