Re: Bits from the Security Team - Debian

This is a discussion on Re: Bits from the Security Team - Debian ; Hi Moritz, On Sun, Mar 09, 2008 at 11:05:11PM +0100, Moritz Muehlenhoff wrote: > Use of RT > ========= > The Security Team is now using Request Tracker to coordinate work > and our RT processes have already been refined ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Bits from the Security Team

  1. Re: Bits from the Security Team

    Hi Moritz,

    On Sun, Mar 09, 2008 at 11:05:11PM +0100, Moritz Muehlenhoff wrote:
    > Use of RT
    > =========


    > The Security Team is now using Request Tracker to coordinate work
    > and our RT processes have already been refined a lot.
    > If you're a package maintainer working towards a security update,
    > you're now encouraged to open a ticket directly. You will be kept in
    > CC during the life time of the ticket. If you're opening a ticket for
    > a security problem, which is not yet publicly known, e.g. if you've
    > discovered it by yourself or if you have been contacted by upstream,
    > please open a ticket in the "Security - Private" queue. These
    > issues will only be visible by the Security Team.


    > If you're opening a ticket for a security problem which is publicly
    > known, e.g. if it's announced on the project web site, please open a
    > ticket in the "Security" queue. These issues will be visible publicly.


    As far as I can see, this announcement mail doesn't mention where the RT
    instance is running, nor the means of opening a ticket in the appropriate
    queue. Where is this information available?

    > We're planning to improve our quality assurance process for security
    > updates by providing a public security update beta test program in
    > addition to the existing QA done for security updates.
    > During the preparation of security updates, there's an inherent delay
    > between the initial upload of the fixed packages and the time until
    > the packages have been built on porter machines. This time gap will be
    > used for a new security update beta program. The test program will be
    > targeted at large installations, which install security updates in a
    > test environment before installing them into the production
    > environment. This test group will be initially limited.


    Is this meant to apply only to unembargoed security updates? AIUI, the
    practice today is that for embargoed security updates, all of the binaries
    are kept in the queue until they're ready for release; so I don't really see
    a gap when the security update is public but the binary packages aren't
    built?

    Cheers,
    --
    Steve Langasek Give me a lever long enough and a Free OS
    Debian Developer to set it on, and I can move the world.
    Ubuntu Developer http://www.debian.org/
    slangasek@ubuntu.com vorlon@debian.org


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: Bits from the Security Team

    On Mon, March 10, 2008 09:24, Steve Langasek wrote:
    >> If you're opening a ticket for a security problem which is publicly
    >> known, e.g. if it's announced on the project web site, please open a
    >> ticket in the "Security" queue. These issues will be visible publicly.

    >
    > As far as I can see, this announcement mail doesn't mention where the RT
    > instance is running, nor the means of opening a ticket in the appropriate
    > queue. Where is this information available?


    We appearently assumed that all developers were aware of where the Debian
    RT is located and how it's used, but for those that missed it,
    instructions are here:
    http://people.debian.org/~terpstra/m...94cadf.en.html

    Sorry for the inconvenience.


    Thijs


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Bits from the Security Team

    On Mon, Mar 10, 2008 at 09:28:24AM +0100, Thijs Kinkhorst wrote:
    > On Mon, March 10, 2008 09:24, Steve Langasek wrote:
    > >> If you're opening a ticket for a security problem which is publicly
    > >> known, e.g. if it's announced on the project web site, please open a
    > >> ticket in the "Security" queue. These issues will be visible publicly.


    > > As far as I can see, this announcement mail doesn't mention where the RT
    > > instance is running, nor the means of opening a ticket in the appropriate
    > > queue. Where is this information available?


    > We appearently assumed that all developers were aware of where the Debian
    > RT is located and how it's used, but for those that missed it,


    I'm well aware of where the existing Debian RT is. Nowhere in the
    announcement mail was it stated that the security team was using the *same*
    RT instance.

    > instructions are here:
    > http://people.debian.org/~terpstra/m...94cadf.en.html


    > Sorry for the inconvenience.


    Which gives information about opening tickets in two queues: the keyring
    queue, and the DSA queue.

    Or do you mean that there's no email address for opening Security tickets,
    and any tickets for the security queue can only be opened using the generic
    'debian' user on the website?

    --
    Steve Langasek Give me a lever long enough and a Free OS
    Debian Developer to set it on, and I can move the world.
    Ubuntu Developer http://www.debian.org/
    slangasek@ubuntu.com vorlon@debian.org


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Bits from the Security Team

    On Mon, 10 Mar 2008, Thijs Kinkhorst wrote:
    > On Mon, March 10, 2008 09:24, Steve Langasek wrote:
    > >> If you're opening a ticket for a security problem which is publicly
    > >> known, e.g. if it's announced on the project web site, please open a
    > >> ticket in the "Security" queue. These issues will be visible publicly.

    > >
    > > As far as I can see, this announcement mail doesn't mention where the RT
    > > instance is running, nor the means of opening a ticket in the appropriate
    > > queue. Where is this information available?

    >
    > We appearently assumed that all developers were aware of where the Debian
    > RT is located and how it's used, but for those that missed it,
    > instructions are here:
    > http://people.debian.org/~terpstra/m...94cadf.en.html


    Don't assume that people remember everything. And the preferred way to
    open a ticket for DD is usually by sending a mail and the mail above does
    only document the DSA and keyring queues.

    You should point to the corresponding email alias for the security queues
    IMO. And giving a few more direct links into the web interface can't hurt


    Cheers,
    --
    Raphaël Hertzog

    Le best-seller français mis à jour pour Debian Etch :
    http://www.ouaza.com/livre/admin-debian/


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Bits from the Security Team

    Steve Langasek wrote:
    >> The Security Team is now using Request Tracker to coordinate work
    >> and our RT processes have already been refined a lot.
    >> If you're a package maintainer working towards a security update,
    >> you're now encouraged to open a ticket directly. You will be kept in
    >> CC during the life time of the ticket. If you're opening a ticket for
    >> a security problem, which is not yet publicly known, e.g. if you've
    >> discovered it by yourself or if you have been contacted by upstream,
    >> please open a ticket in the "Security - Private" queue. These
    >> issues will only be visible by the Security Team.

    >
    >> If you're opening a ticket for a security problem which is publicly
    >> known, e.g. if it's announced on the project web site, please open a
    >> ticket in the "Security" queue. These issues will be visible publicly.

    >
    > As far as I can see, this announcement mail doesn't mention where the RT
    > instance is running, nor the means of opening a ticket in the appropriate
    > queue. Where is this information available?


    We're using the official rt.debian.org.
    Full details will be folded into the developer's reference soon.

    >> We're planning to improve our quality assurance process for security
    >> updates by providing a public security update beta test program in
    >> addition to the existing QA done for security updates.
    >> During the preparation of security updates, there's an inherent delay
    >> between the initial upload of the fixed packages and the time until
    >> the packages have been built on porter machines. This time gap will be
    >> used for a new security update beta program. The test program will be
    >> targeted at large installations, which install security updates in a
    >> test environment before installing them into the production
    >> environment. This test group will be initially limited.

    >
    > Is this meant to apply only to unembargoed security updates? AIUI, the
    > practice today is that for embargoed security updates, all of the binaries
    > are kept in the queue until they're ready for release; so I don't really see
    > a gap when the security update is public but the binary packages aren't
    > built?


    Yes, this is limited to non-embargoed security issues.

    Cheers,
    Moritz







    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread