On Mon, Mar 14, 2005 at 04:51:55PM -0800, Matt Zimmerman wrote: > On Tue, Mar 15, 2005 at 01:14:30AM +0100, Sven Luther wrote: > > > On Mon, Mar 14, 2005 at 06:10:30PM -0500, Andres Salomon wrote: > > > Yes, I would like to reiterate that coordination between Martin Pitt, the > > > Ubuntu kernel team, and the Debian kernel team has been an invaluable > > > resource for Debian; there are a lot of security fixes in Debian > > > kernels that were brought to my attention by either Fabio or Martin. > > > > Because they are in the security-announce-loop and we are not though, right > > ? > > Can you restate the question more clearly? In particular, expand the > pronouns "they" and "we", and explain what the security-announce-loop is.
There is this vendor-specific-security-announce-with-embargo thingy. The debian kernel team mostly handles the unstable and testing kernel, is not in the loop for getting advance advice on those problems, so we cannot build fixed versions until the vulnerability gets announced, and thus we can't upload kernels in a timely fashion like ubuntu or other vendors do, who often have a couple week of advance warnings. On slower arches this could be a problem. The debian-security team is handling stable only, and there are no security updates for unstable until way after the embargo is over, and for testing a bit after that, depending if the kernels get hinted in or not. To have proper security-in-testing-or-unstable for the kernel, the debian-kernel security team, or at least a few members of it, need to be made aware of the embargoed security holes, and get a chance to fix them in advance, maybe with a private or security non-public copy of our svn tree (using svk maybe). This is not a ubuntu related problem though, and the help the ubuntu kernel/security team has provided us was invaluable, but it should maybe not be necessary if the information was not unrightfully hold from us in the first time. Friendly, Sven Luther -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
