On Thu, Mar 06, 2014 at 09:00:13AM +0800, Paul Wise wrote:
> > * There are quite some vulnerabilities which are addressed in Debian,
> > but for which no CVE identifier has been assigned.
>
> Perhaps we could encourage those submitting security bugs to
> X-Debbugs-CC the oss-sec list?
That would generate to much noise.
> Reading LWN I sometimes note the same issue happens for other
> distributions. Does the security team monitor the advisory
> announcements of upstreams and other distributions and auto-correlate
> those with CVEs?
Yes, from time to time we pick up issues from distros which don't
request CVE IDs for their advisories.
> > * We're currently using Subversion. We discussed changing to git, but
> > git doesn't offer significant benefit for our purpose so we decided
> > to stick with it.
>
> >From when alioth was having repository issues, it appears having the
> full history locally is useful so git would still be a net win. Also
> is the SHA-1 hash chain not useful?
It doesn't really outweigh the additional work needed for the move.
> > * In order to avoid bottlenecks and to open up the security process
> > further we're planning to allow maintainers which are not part of
> > the security team to release security updates on their own....
>
> The backports archive has a whitelist mechanism, would that be useful?
Probably, we'll have a look when we get into the actual implementation.
> The information at www.d.o/security could use some updates.
Please file bugs against the www.debian.org pseudo bug with specific
changes.
> Will security team members be at DebConf14?
Most likely not.
> Is the team filtering debian-devel-changes and looking for words like
> security, overflow, attack etc? This might turn up some things that
> don't have CVEs but should.
Yes, at least two people are reading d-d-changes on a daily basis.
Cheers,
Moritz