Re: RfD: Debian Security Policy

To: debian-devel@lists.debian.org
Cc: Martin Schulze <joey@finlandia.Infodrom.North.DE>
Subject: Re: RfD: Debian Security Policy
From: Adam Di Carlo <adam@onshore.com>
Date: 31 Aug 1999 02:56:02 -0400
Message-id: <[🔎] oalnas8mm5.fsf@arroz.fake>
In-reply-to: Martin Schulze's message of "Tue, 31 Aug 1999 03:31:07 +0200"
References: <[🔎] 19990831033107.T29569@finlandia.infodrom.north.de>

Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:

> Debian Security Policy
> 
> 1. This Policy document describes the scope and duties of the Debian
>    Security Team for Debian.

I think this is excellent!  I hope it gets posted on the web site (or
some web site) soon.

> 2. As soon as an incident is known the Security Team work on fixing
>    affected packages.  If no fix is known yet, they try to develop one
>    on their own in connection with affected package maintainers.

I would say here:

 2. As soon as an incident is known the Security Team work on
    determining where the fault is, and fixing affected packages.  If
    no fix is known yet, they try to develop one on their own in
    connection with affected package maintainers.  (Package
    maintainers are responsible for corresponding with upstream
    maintainers).

Actually, maybe it should be that the security team immediately notify
both the package maintainer and the upstream maintainer of the problem
once the fault is known.  I think this would put it in better stead
with upstream maintainers (who maybe would be more inclined to notify
the Security team if security faults are detected by "third parties").

Actually, isn't everything but the first sentance redundant with what
comes below?

[snip]
> 7. If the maintainer of a certain package does not respond within a
>    few days or is unable to provide a fixed package, the Security Team
>    is permitted to work on a fixed version on their own.

Actually, I don't think the security team should have any waiting
periods at all.  They should attempt to reach the package maintainer,
but may (or may not) immediate fix and upload at their discretion.

>              Such a
>    package will be handled similar to other non-maintainer uploads,
>    except that the Security Team does not have to wait for a couple of
>    weeks.  The rule still is "minimal changes only".
> 
> 8. New subreleases of the stable distribution containing security
>    updates will be prepared every one or two months, depending on the
>    amount of security updates.  This will keep systems relatively up
>    to date.  It will also keep proposed-updates and
>    security.debian.org small.  An announcement will be made covering
>    the new subrelease.

Probably should speicify the announcement list.

That reminds me, you should probably also specify the advisory list so
people know how to subscribe to it.

>    The subrelease will be done by the Release Engineer or - if
>    available - the Stable Release Manager and prepared in connection
>    with the Security Team, who is responsible for security updates.

Looks pretty good!

--
.....Adam Di Carlo....adam@onShore.com.....<URL:http://www.onShore.com/>

Reply to:

Follow-Ups:
- Re: RfD: Debian Security Policy
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

References:
- RfD: Debian Security Policy
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

Prev by Date: Re: this all this xxx-jp nonsense (was: Re: ITP: grep-ja)
Next by Date: Re: this all this xxx-jp nonsense (was: Re: ITP: grep-ja)
Previous by thread: RfD: Debian Security Policy
Next by thread: Re: RfD: Debian Security Policy
Index(es):
- Date
- Thread