Bug#436161: debtags: New tags for security support
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote: Please add support for the following tags, as discussed during DebConf in Edinburgh: * [etch|lenny]-security-unsupported to flag that a source package has no [...] * security-local-use-only (or something similar, I'm unsure about the exact [...] Hello Moritz, I finally got time for this. I really care about it. Please find attached a tarball that implements a first prototype. To give it a first try, you can put it online as, for example, http://security.debian.org/tags, then add this line to /etc/debtags/sources.list: tags http://security.debian.org/tags Running debtags update will download the tags and index them. All the Debian package managers, with the exception of adept, do not currently support merging tags in this way. I can however easily implement merging tags and vocabulary from your tag source when I build the tag override files that are installed in the Packages file. Therefore a first step could be that you (security team) maintain a tag source at your liking (like you have in the attached tarball), then I can fetch it and merge it in the packages file. With the same method I can implement more extra tag sources merged into the Packages file, like for the proposals posted elsewhere in this bug report of generating tags from wnpp entries. Having the tag sources merged in this way also prevents these extra tags to be edited by anyone on the tagging interface at http://debtags.alioth.debian.org/edit.html Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini [EMAIL PROTECTED] signature.asc Description: Digital signature
Bug#436161: debtags: New tags for security support
Hi, * Enrico Zini [EMAIL PROTECTED] [2007-09-17 13:22]: On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote: [...] Please find attached a tarball that implements a first prototype. To give it a first try, you can put it online as, for example, http://security.debian.org/tags, then add this line to /etc/debtags/sources.list: [...] What you described really sounds very cool but you forgot the tarball. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp8iS2GufNvP.pgp Description: PGP signature
Bug#436161: debtags: New tags for security support
On Mon, Sep 17, 2007 at 01:35:17PM +0200, Nico Golde wrote: What you described really sounds very cool but you forgot the tarball. Doh! Sorry, here it is. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini [EMAIL PROTECTED] security.tar.gz Description: Binary data signature.asc Description: Digital signature
Bug#436161: debtags: New tags for security support
Enrico Zini wrote: On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote: Please add support for the following tags, as discussed during DebConf in Edinburgh: * [etch|lenny]-security-unsupported to flag that a source package has no [...] * security-local-use-only (or something similar, I'm unsure about the exact [...] Hello Moritz, I finally got time for this. I really care about it. Enrico, Thanks a lot. I'll have an in-depth look at it when I'm back from vacation next month. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#436161: debtags: New tags for security support
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote: Please add support for the following tags, as discussed during DebConf in Edinburgh: * [etch|lenny]-security-unsupported to flag that a source package has no support by the Security Team. It should be distribution-specific to allow revoking support for individual suites, as it was necessary for Mozilla in Sarge. * security-local-use-only (or something similar, I'm unsure about the exact naming), to indicate that security support only applies to local, trusted users. An example: SQL-Ledger has a horrible security track record, so we only support to run it behind an authenticated HTTP zone. It's still a useful software and limiting support is a viable choice; doing accounting carries a whole lot of implicit trust anyway. Hi Moritz, thanks for opening this bug. I'm totally in favour of this. This seems to be the right place to also paste the other notes that I took during the BOF at DebConf: - low-popularity packages can delegate security to the maintainers - support-level tags - Auto-generated tags - orphaned - MIA maintainer - old RC bugs - Team-generated tags - security team won't support - possibly, suite-specific no-security-support tags - suited for local use only (web-based double entry accunt system) (usable in the local network, but don't export on internet) - DD-introduced tags in control file - self-declared fringe package - self-declared dead-upstream - self-declared dead-upstream but DD will fix bugs - What else? - brainstorm personal best practices/metrics for choosing packages - package depends on orphaned packages - development status (alpha, beta, production, ...) - I don't use this package anymore (could be computed by scanning RFA bugs) Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini [EMAIL PROTECTED] signature.asc Description: Digital signature
Bug#436161: debtags: New tags for security support
On Sun, Aug 05, 2007 at 11:59:31PM +0200, Moritz Muehlenhoff wrote: Please add support for the following tags, as discussed during DebConf in Edinburgh: * [etch|lenny]-security-unsupported to flag that a source package has no support by the Security Team. It should be distribution-specific to allow revoking support for individual suites, as it was necessary for Mozilla in Sarge. * security-local-use-only (or something similar, I'm unsure about the exact naming), to indicate that security support only applies to local, trusted users. Once implemented in debtags we need support in apt, etc. I think these things might be a good idea. Though I would expect a more general discussion on the mailinglist(s) about why these tags are needed, when and how they would be used. I for one would rather not have a package in a release than have a package that is not supported by the security team. So maybe we should also discuss alternatives like backports + security and procedures on how to find and communicate about packages that have lots of security issues or are very hard to fix by backported security updates? Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#436161: debtags: New tags for security support
Package: debtags Severity: normal Please add support for the following tags, as discussed during DebConf in Edinburgh: * [etch|lenny]-security-unsupported to flag that a source package has no support by the Security Team. It should be distribution-specific to allow revoking support for individual suites, as it was necessary for Mozilla in Sarge. * security-local-use-only (or something similar, I'm unsure about the exact naming), to indicate that security support only applies to local, trusted users. An example: SQL-Ledger has a horrible security track record, so we only support to run it behind an authenticated HTTP zone. It's still a useful software and limiting support is a viable choice; doing accounting carries a whole lot of implicit trust anyway. Once implemented in debtags we need support in apt, etc. If you have any questions, please come back to me. I'm also available on #debian-security Cheers, Moritz -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core) Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]