[Secure-testing-commits] r11636 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Fri Apr 17 13:48:47 UTC 2009
On Thu, 16 Apr 2009 23:40:00 -0700, Kees Cook wrote:
> Hi Michael,
>
> On Thu, Apr 16, 2009 at 11:10:38PM -0400, Michael S. Gilbert wrote:
> > would it make sense to integrate ubuntu's security tracker with
> > debian's, especially since the two distros are so closely related?
> > for example, [intrepid]/[jaunty] tags could be used to track
> > ubuntu-specific issues within the debian tracker.
> >
> > this would greatly reduce duplication of effort and make it clear to
> > the other team when the one pushes a fix since everyone will be getting
> > updates from the same tracker. it would also make a lot of sense for
> > the two teams to work more closely together.
> >
> > also, debsecan could finally be modified so that its output makes
> > sense on ubuntu (a pet peeve of mine).
> >
> > just a thought.
>
> It was discussed a lot when we were first building out our tracker, but our
> data sets are 4 times larger (we've effectively got 3 oldstables, 1 stable,
> and 1 testing). Also, we wanted to have a lot more information represented
> in our tracker that didn't really fit the format of the secure-testing
> tracker. We modelled our tracker after the kernel-security tracker
> instead. Our results are here[1].
>
> Our tracker's support tools now both fetch hints from the Debian tracker as
> well as push hints from our back out. NFU's have been working for a while
> now, but today I finally finished the first pass at noticing "TODO: check"
> entries where Ubuntu knows about a possible package match in the Debian
> archive.
>
> So, I'm trying to work as closely as possible, but we've got a lot of
> demands for statistics, bug links, credit, and our
> Canonical-supported/community-support split. There's a ton of metadata
> we're hauling around in our entries, and it seemed like it wouldn't be much
> fun to jam all that into the Debian tracker.
this seems very well-reasoned.
i have one request to improve the process: please submit a 'NOTE' with
a link to the ubuntu patch whenever you issue a fix that hasn't been
issued by debian yet. this will help to increase the debian security
team's awareness of the work that has already been done, and hopefully
make it easier/faster to issue fixes. in fact, it would be preferable
to get this information during the process of preparing the patch,
rather than after the USN is issued.
also, would it be possible to coordinate security notices better? it
looks bad when one of the distros releases a fix and the other doesn't
get the same fix out for days or weeks (i'm not saying to delay the
fix, but to work more closely so both distros are ready to release at
the same time).
btw, it's great that you're now pushing your nfu's to debian. at least
that work will now get split between the two distros, rather than
duplicating the effort. thanks!
mike
More information about the Secure-testing-commits
mailing list