On Thu, Mar 06, 2014 at 09:00:13AM +0800, Paul Wise wrote: > > * There are quite some vulnerabilities which are addressed in Debian, > > but for which no CVE identifier has been assigned. > > Perhaps we could encourage those submitting security bugs to > X-Debbugs-CC the oss-sec list?
That would generate to much noise. > Reading LWN I sometimes note the same issue happens for other > distributions. Does the security team monitor the advisory > announcements of upstreams and other distributions and auto-correlate > those with CVEs? Yes, from time to time we pick up issues from distros which don't request CVE IDs for their advisories. > > * We're currently using Subversion. We discussed changing to git, but > > git doesn't offer significant benefit for our purpose so we decided > > to stick with it. > > >From when alioth was having repository issues, it appears having the > full history locally is useful so git would still be a net win. Also > is the SHA-1 hash chain not useful? It doesn't really outweigh the additional work needed for the move. > > * In order to avoid bottlenecks and to open up the security process > > further we're planning to allow maintainers which are not part of > > the security team to release security updates on their own.... > > The backports archive has a whitelist mechanism, would that be useful? Probably, we'll have a look when we get into the actual implementation. > The information at www.d.o/security could use some updates. Please file bugs against the www.debian.org pseudo bug with specific changes. > Will security team members be at DebConf14? Most likely not. > Is the team filtering debian-devel-changes and looking for words like > security, overflow, attack etc? This might turn up some things that > don't have CVEs but should. Yes, at least two people are reading d-d-changes on a daily basis. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140310153043.GA4777@pisco.westfalen.local