[Secure-testing-commits] r30512 - org

Wed Dec 3 18:28:00 UTC 2014

Author: jmm
Date: 2014-12-03 18:28:00 +0000 (Wed, 03 Dec 2014)
New Revision: 30512

Added:
   org/agenda-2015.txt
Log:
first stab at some agenda items


Added: org/agenda-2015.txt
===================================================================

--- org/agenda-2015.txt	                        (rev 0)
+++ org/agenda-2015.txt	2014-12-03 18:28:00 UTC (rev 30512)
@@ -0,0 +1,97 @@
+Agenda for Security Team Meeting
+--------------------------------
+
+Workflow
+========
+
+- Improvements needed for dsa-needed.txt, like more automatisation? The repo
+  with embargoed issues isn't used much, what can we do to improve that?
+
+- Is RT abandoned, do we still need to clean up old issues from the security
+  queues?
+
+- Draft new people, possible candidates
+
+- Opening up the security process further to allow maintainers of packages with
+  frequent issues to release updates themselves. Needs a more detailed workplan:
+  - Updates need to be reviewed/acked by sec team members
+
+  - Requires changes to dak to no longer require access to security-master,
+    e.g.  by using a mechanism similar to allowing a DM to upload and sending
+    error messages to the signer of the upload (already requested by Thijs)
+
+  - Requires changes to debian-security-announce
+
+Tools
+=====
+
+- Compile a list of issues we want to see fixed
+
+- Make it simple to release packages for others to test, e.g. an aptable security queue,
+  what is needed to implement that?
+
+- How can we leverage autopkgtest for testing security updates in jessie?
+
+- Migrate to git during the weekend? Since most people are around and we'll be
+  actively using all tools anyway, we can fix all fallout right-away.
+
+Tracker
+=======
+
+- Add a new status to differentiate between "no-dsa, if the maintainer wants
+  to fix in a point update go ahead" and "no-dsa, was ignored because it's
+  possible to backport" (this is e.g. needed to cover non-backportable issues
+  like CVE-2013-4148 et al. for KVM).
+
+- Check open bugs in the BTS, check bugs against security-tracker pseudo package
+
+- Support for consistency checks on source package names, e.g linux-2.6/linux
+  or all of the ruby packages, track package renames
+
+- Automatically add <end-of-life> tags for unsupported packages
+
+- Automating more tasks:
+  + dropping "NOTE: to be rejected" when an issue is marked as REJECTED
+  + script to automatically merge data/next-{oldstable-,}point-update.txt
+  + get an overview of newly reported bugs in the Debian BTS which have
+    tag security (if one submits a bug not over reportbug we do not get
+    a copy)?
+  + Automatically group/reorder unassigned CVE-$year-XXXX item to have
+    them in one place and get a better overview?
+
+
+Documentation
+=============
+
+- Work on proper documentation how people can contribute
+
+- Remove mentions of the "testing security team" since that doesn't
+  seem to exist anymore
+
+Distribution hardening
+======================
+
+- What new hardening features should we tackle for stretch?
+
+- systemd hardening features; identify a set of important packages
+
+- improve detection of hardened build flags, maybe write the flags used into an
+  ELF section? This way it could be more reliably checked whether correct flags
+  were used (e.g. for binaries using fortified source, but not using any of the
+  functions covered by it)
+
+- hidepid by default
+
+
+LTS
+===
+
+- Review; what is working well, how is it keeping up, we can we do to help?
+
+- What tool changes need to be made?
+
+Others
+======
+
+- Distribute the new security team key on 
+


