Re: Bad press again...
* martin f. krafft: I think Alvin was alluding to how it *should* be solved. As in: we should have more than one security server, globally spaced. security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
* W. Borgert: Do we have a security team for stable? I know, that we have a security team for testing consisting of nine DDs and ten non-DDs, but it seems to me, that stable is handled by Joey alone. Has this changed since the havoc a few months ago? I don't think so. Joey seems to be satisfied with this situation, and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. The email part is very unfortunate indeed, but it probably doesn't warrant drastic measures. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
[Florian Weimer] I don't think so. Joey seems to be satisfied with this situation, and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. I'm not sure if the satisfaction of Martin Schulze is a good measuring stick to judge the quality of the stable security work. The count of open security issues in stable and oldstable is probably a better measuring meter, and it does not look too good. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Sat, 27 Aug 2005, Florian Weimer wrote: * martin f. krafft: I think Alvin was alluding to how it *should* be solved. As in: we should have more than one security server, globally spaced. security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. Irrelevant if secure apt is deployed correctly. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Sat, 27 Aug 2005, Florian Weimer wrote: I don't think so. Joey seems to be satisfied with this situation, and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. The email part is very unfortunate indeed, but it probably doesn't warrant drastic measures. Since when increasing the stable security team (i.e. adding more people) is a drastic measure? -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540 +0200]: security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. Irrelevant if secure apt is deployed correctly. No. Imagine exim gets a root exploit and I spoof the DNS to some mirror of s.d.o. That mirror will be consistent wrt secure APT, but it won't get updates, so admins who don't follow DSAs and run apt-get upgrade consciously and carefully are going to be left in the naive belief that they are safe because s.d.o doesn't have any new stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! perl -e 'print The earth is a disk!\n if ( a == b );' (dedicated to nori) signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
On Sat, Aug 27, 2005 at 11:07:21AM +0200, Florian Weimer wrote: apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. The email part is very unfortunate indeed, I'm not entirely happy with the lack of redundance. Given the (not only commercial) significance of Debian, the size of the distribution, and the complexity of todays software combined with the openness of the net, a team of at least five, maybe ten people might not be unjustifiable. (testing security team: 19 people, right?) Cheers, WB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
* Henrique de Moraes Holschuh: On Sat, 27 Aug 2005, Florian Weimer wrote: I don't think so. Joey seems to be satisfied with this situation, and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. The email part is very unfortunate indeed, but it probably doesn't warrant drastic measures. Since when increasing the stable security team (i.e. adding more people) is a drastic measure? Correct me if I'm wrong, but the current team doesn't seem to want new members. If you nevertheless force new members upon them, you are in fact looking for a complete replacement. This is what I call drastic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Am Samstag, 27. August 2005 15:44 schrieb martin f krafft: No. Imagine exim gets a root exploit and I spoof the DNS to some mirror of s.d.o. That mirror will be consistent wrt secure APT, but it won't get updates, so admins who don't follow DSAs and run apt-get upgrade consciously and carefully are going to be left in the naive belief that they are safe because s.d.o doesn't have any new stuff. This scenario could be avoided if s.d.o would authenticate itself. Is authentication of the server something which has been considered with secure apt? Even if you mirror all of s.d.o you still do not have it's certificates. -- Rudolf Lohner - Universitaet Karlsruhe (TH) Rechenzentrum, Zirkel 2, D-76128 Karlsruhe Phone: +49-721-608-6958, Fax: +49-721-32550 E-Mail: [EMAIL PROTECTED] http://www.rz.uni-karlsruhe.de/~Rudolf.Lohner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Rudolf Lohner [EMAIL PROTECTED] [2005.08.27.1651 +0200]: This scenario could be avoided if s.d.o would authenticate itself. Is authentication of the server something which has been considered with secure apt? I'v suggested this before but never had the time to implement it. Patches are welcome. :) Of course you'll have to add SSL support to security.debian.org as well, which may be the actual show stopper. FWIW, Florian sent me this interesting link: http://www.cs.berkeley.edu/~nweaver/0wn2.html -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! we all know linux is great... it does infinite loops in 5 seconds. -- linus torvalds signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
* Petter Reinholdtsen: The count of open security issues in stable and oldstable is probably a better measuring meter, and it does not look too good. Security support is a task for Debian as a whole, not just the security team. IMHO, the main role of the security team is information sharing, risk assessment, and quality assurance for security updates. The team should act as a trusted point of contact, forward information from external sources to the relevant developers (in many cases this is possible, even if the information is considered sensitive), and respond to security-related questions, both from inside the project and external entities. The team should have the final say in what can go into the archive as a security update, after it has weighed the security threat against the general risk of any change to the stable distribution. It's also necessary for the team to review all security updates, to deal with the Single Point of Ownership problem. Even if all Debian developers are trustworthy, some of their machines might be compromised, or they simply make mistakes. The security has access to the privileged information which might be helpful while preparing security updates, true, but in most cases, after the issue has been disclosed to some extent (because upstream has issued an update, for example), their head start is gone. Nevertheless, there seems a general tendency among Debian developers that security updates for stable are the job of the security team. In my eyes, this is the root of the problem. The security team shouldn't spend their time on package maintenance, that's what maintainers are for. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
* Henrique de Moraes Holschuh: On Sat, 27 Aug 2005, Florian Weimer wrote: * martin f. krafft: I think Alvin was alluding to how it *should* be solved. As in: we should have more than one security server, globally spaced. security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. Irrelevant if secure apt is deployed correctly. Yes, that's why it is a post-etch thing, realistically speaking. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
Hi martin! On Sat, 27 Aug 2005, martin f krafft wrote: also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540 +0200]: security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. Irrelevant if secure apt is deployed correctly. No. Imagine exim gets a root exploit and I spoof the DNS to some Yes. Deployed correctly means you require time stamping, and you check it for undue values. Anyone who can connect to mirrors can connect to SNTP servers, so what aboud people with bad clocks doesn't hold as an excuse. No, apt does not have all this functionality yet, but it is not difficult to add it for etch. For this to work, you need a master s.d.o mirror, and automatic signing (so that you can keep the timestamping as low as a few hours). This gives you a mirror network, with the same single owning point of failure we have right now. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.27.1648 +0200]: Correct me if I'm wrong, but the current team doesn't seem to want new members. If you nevertheless force new members upon them, you are in fact looking for a complete replacement. This is what I call drastic. When a bottleneck arises, you either widen the neck or remove that which clogs the passage. Neither is more drastic than the other for they are not alternatives; each is a solution to its own set of problems, and if the current team blocks new members and yet does not meet the general expectations of our users, it's essentially more of a clog than a bottleneck. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! gentoo: the performance placebo. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
* martin f. krafft: FWIW, Florian sent me this interesting link: http://www.cs.berkeley.edu/~nweaver/0wn2.html This is was only intended as an explanation of the term single point of ownership. I don't agree with Nicholas Weaver's analysis. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Sat, 27 Aug 2005, Henrique de Moraes Holschuh wrote: For this to work, you need a master s.d.o mirror, and automatic signing (so that you can keep the timestamping as low as a few hours). This gives you a mirror network, with the same single owning point of failure we have right now. Add to it requiring messages to have more than one signature, so that the sec. team remains the single one point of failure for .deb injection. The point about secure time keeping is a good one, and the perfect solution (an authenticated ntp server) ain't doable. So, we'd have to rely on the user being capable of keeping his clock accurate and noticing if it is off by too much with some prompting by apt. Not a perfect solution at all :( -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
On Sat, 27 Aug 2005, Florian Weimer wrote: * Henrique de Moraes Holschuh: On Sat, 27 Aug 2005, Florian Weimer wrote: I don't think so. Joey seems to be satisfied with this situation, and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. The email part is very unfortunate indeed, but it probably doesn't warrant drastic measures. Since when increasing the stable security team (i.e. adding more people) is a drastic measure? Correct me if I'm wrong, but the current team doesn't seem to want new members. If you nevertheless force new members upon them, you are in Huh? They probably do, for all I know. Whether they have people they trust for the job right now is something else, though. We can probably expect that some people will be promoted from the testing security team to the stable one in a reasonable timeframe (some months) without much fuss. As for doing it over the current stable security team's wishes, I am not advocating that AT ALL. That would be a drastic measure indeed. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
* martin f. krafft: also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1540 +0200]: security.debian.org already is a Single Point of Ownership. I don't think we need multiple ones, so this is definitely a post-etch thing. Irrelevant if secure apt is deployed correctly. No. Imagine exim gets a root exploit and I spoof the DNS to some mirror of s.d.o. That mirror will be consistent wrt secure APT, but it won't get updates, so admins who don't follow DSAs and run apt-get upgrade consciously and carefully are going to be left in the naive belief that they are safe because s.d.o doesn't have any new stuff. You can address this with timestamp signatures, but I doubt it is worth the complexity. A prerequisite would be replacing pool.ntp.org and providing our own secure time source, and this is probably not something we want to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.1720 +0200]: Huh? They probably do, for all I know. Whether they have people they trust for the job right now is something else, though. We can probably expect It's hard to tell for the requirements are not publicly available. This means that it's impossible for anyone to actually work towards the goal of helping the stable security team. that some people will be promoted from the testing security team to the stable one in a reasonable timeframe (some months) without much fuss. Some months is not a reasonable time frame for something like security; ever additional day hurts the project reputation severely, at least here in Germany and Switzerland. I have clients (one of which is a major German bank) voicing their concerns and considering switching away from Debian to Solaris because of the security fiascos. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! there are only 10 types of people in the world: those who understand binary and those who don't. signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
On Sat, 27 Aug 2005, martin f krafft wrote: security; ever additional day hurts the project reputation severely, at least here in Germany and Switzerland. I have clients (one of which is a major German bank) voicing their concerns and considering switching away from Debian to Solaris because of the security fiascos. Show how much they know about Solaris security. Still, why don't you drop by IRC and try to talk to Branden and Joey? -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Henrique de Moraes Holschuh [EMAIL PROTECTED] [2005.08.27.2019 +0200]: Show how much they know about Solaris security. Still, why don't you drop by IRC and try to talk to Branden and Joey? Branden is offline, and Joey can't be bothered to talk about this stuff with me, it seems. He's never replied to mails or pings from me about this stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! /.ing an issue is like asking an infinite number of monkeys for advice -- in #debian-devel signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
also sprach Florian Weimer [EMAIL PROTECTED] [2005.08.27.1107 +0200]: Do we have a security team for stable? I know, that we have a security team for testing consisting of nine DDs and ten non-DDs, but it seems to me, that stable is handled by Joey alone. Has this changed since the havoc a few months ago? I don't think so. Joey seems to be satisfied with this situation, How would you know? And I don't think the question is whether Joey is satisfied, it's more whether our users are satisfied, and that includes all of us. and apart from unanswered email messages to [EMAIL PROTECTED], there are few complaints, AFAIK. That's because complaints don't actually have any result, so I, for instance, have stopped. I've pointed to severe problems with Debian stable security several times before and usually got around 30 private messages a day thanking me for raising these issues and for staying on track. I don't think Joey found it necessary just a single time to articulate a position on the issue of e.g. the three week outage in the security team throughout June. The final announcement that was sent was not authored by Joey, but by other DDs who were similarly concerned. Now we've had another issue of problems with s.d.o, but we had to learn about them from Heise. Following the debate around LinuxTag, Branden put a trusted and very active and skilled developer on the task to research the security problems. Unfortunately, he has not been able to get far with this job yet, probably due to numerous reasons. If Branden reads this (and he should as it's CC'd), I hope he does something about the situation, not by putting pressure on the researcher, but by actually causing some change. The email part is very unfortunate indeed, but it probably doesn't warrant drastic measures. Not if we want Debian to become known as an amateur club and lose value among professionals. And yeah, client switching to Solaris may tell something about their understanding of security... but then isn't it all the more important for Debian to get it right and help protect those that don't know better? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! will kill for oil! signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
[Florian Weimer] Correct me if I'm wrong, but the current team doesn't seem to want new members. I've been told that the current stable security team consist of one person doing the work, Martin Schulze. If this team do not want new members, something strange is afoot. And prospective security team members should start working in the testing security team. There are no need to keep secrets (all is done in public), and enough work for several people (just check out URL:http://spohr.debian.org/~joeyh/testing-security.html :), and it is a good place to demonstrate ones capacity in this area. :) Total holes unfixed: 93 Total holes fixed in unstable but not testing: 135 (+3 on some arches) Total number of kernel image packages not up to date: 0 Number of TODO lines in records: 153 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Petter Reinholdtsen [EMAIL PROTECTED] [2005.08.27.2255 +0200]: I've been told that the current stable security team consist of one person doing the work, Martin Schulze. If this team do not want new members, something strange is afoot. At least one other member is working actively. However, uploads and announcements still have to go through Joey, and from what I learnt, the workflow processes in the team are archaic yet Joey doesn't want to divert from them. Note: this is all hearsay and may well be wrong. I'd love for Joey to step in and give us the complete picture. And prospective security team members should start working in the testing security team. There are no need to keep secrets (all is done in public), Which doesn't address the problem that embargoed bugs are possibly handled suboptimally in Debian. And it does not address the problem that our security infrastructure went down for a while and we found out about it from a German news magazine. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! be the change you want to see in the world -- mahatma gandhi signature.asc Description: Digital signature (GPG/PGP)
Re: Bad press again...
[Martin F Krafft] And prospective security team members should start working in the testing security team. There are no need to keep secrets (all is done in public), Which doesn't address the problem that embargoed bugs are possibly handled suboptimally in Debian. And it does not address the problem that our security infrastructure went down for a while and we found out about it from a German news magazine. True, it does not address those problems, and we should try to address them. But it does address other related problems, and we will be a lot better of if all the _public_ security issues in debian were solved, and having a proven security framework for testing and unstable might make it easier to adjust the framework used for stable to make it better. If all the public issues are solved, I believe it is easier to address the handling of non-public ones. In short, I see no downsides to helping out the testing security team while we at the same time try to address the issues with stable security work. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press again...
also sprach Petter Reinholdtsen [EMAIL PROTECTED] [2005.08.28.0025 +0200]: In short, I see no downsides to helping out the testing security team while we at the same time try to address the issues with stable security work. I was not trying to suggest so. The testing security team is a true asset and a keystone in the future of Debian security. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! if you are going to run a rinky-dink distro made by a couple of volunteers, why not run a rinky-dink distro made by a lot of volunteers? -- jaldhar h. vyas signature.asc Description: Digital signature (GPG/PGP)