Bug#971515: Request for security team input on kubernetes TC bug

2020-11-17 Thread Moritz Mühlenhoff
On Sun, Nov 08, 2020 at 10:49:31PM +0100, Florian Weimer wrote: > * Moritz Mühlenhoff: > > > * Follow a scheme similar to Firefox ESR where in case of a security > > the update either happens to the latest minor release of > > the current branch or if that has stop

Bug#971515: Request for security team input on kubernetes TC bug

2020-11-17 Thread Moritz Mühlenhoff
Catching up on this... > > This leaves Debian with two options: > > * Keep it out of a stable release and accept that it's good enough > > if people just install whatever deb they currently find in testing/sid > > (works out well enough for most given that blob nature of Go!) > > IMHO this

Bug#971515: Request for security team input on kubernetes TC bug

2020-10-27 Thread Moritz Mühlenhoff
On Wed, Oct 21, 2020 at 08:22:11AM -0700, Sean Whitton wrote: > Hello security team, > > The TC are being asked about src:kubernetes, and it would be good to > hear from you about whether and how security support is a relevant > consideration in determining whether the level of vendoring in that

Bug#947847: please install systemd-sysusers using update-alternatives

2020-01-29 Thread Moritz Mühlenhoff
Simon McVittie wrote: > I think we have a fairly good picture of the costs that would be > incurred from using alternatives: Plus in the case of opentmpfiles; a pile of security issues: systemd-tmpfiles addresses a number of complex races using low level primitives like openat() et al. or O_PATH,

Bug#802159: New OpenSSL upstream version

2015-12-06 Thread Moritz Mühlenhoff
Hi, Personally I'm in favour of following the openssl point updates and I'd like to add an additional data point to the discussion: CVE-2015-3196 was already fixed as a plain bugfix in an earlier point release, but the security impact was only noticed later on, so following the point updates

Bug#727708: systemd (security) bugs (was: init system question)

2013-11-30 Thread Moritz Mühlenhoff
On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote: All distributions care about not having security issues in their code, but that's not the same thing as actually doing the work to audit the code. In practice this only happens when dedicated resources are turned on the code in