Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Tuesday, den 28. June 2005: On Tue, 28 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Tuesday, den 28. June 2005: If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html saw that before ... and no response ... so i let it die, the assumption being, that people looking for helpers will reply to those volunteering, but i guess one has to pass the screeners requirements before getting onto the next level You sent an email where about what and got no response? I did not see your offer to help come across the mailing list (if it is there, can you point out the URL to the message?)... Often people looking for helpers are needing helpers because they are so busy that they need people who are wanting to help to take initiative, rather than be hand-held. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Wed, 29 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Tuesday, den 28. June 2005: You sent an email where about what and got no response? I did not see your offer to help come across the mailing list (if it is there, can you point out the URL to the message?)... i think you can search thru the debian security archives just as easily as i can or in fact even more easily since yu have a debian acct ?? in either case, it doesnt matter to me if people reply or not to those that are volunteering - i go on the assumption that people get selected based on the merits or pecking order or friends of friends or ?? whatever the criteria is .. - from this last batch of emails about security, i saw there was a bunch of folks willing to help do security work .. and i'm hoping somebody takes up the volunteer's offerings and unload some tasks or do some other forms of methodology tests Often people looking for helpers are needing helpers because they are so busy that they need people who are wanting to help to take initiative, rather than be hand-held. i don't want any handholding ... other than access the the resources and info and/or question answer .. - in my case, i'd like to create test-sec.debian.org for which i cannot do anything about it unless i do get some handholding and it's purpse to supplement the security patches that i see is lacking in testing ( 2 or 3 months behind current releases is too far back for me ) and everybody is buzy... - first priority for me/us is paying customers as that is what keeps our expenses paid... and than volunteer for folks(entities) that wants some help c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
[Alvin Oga] i don't want any handholding ... other than access the the resources and info and/or question answer .. - in my case, i'd like to create test-sec.debian.org for which i cannot do anything about it unless i do get some handholding and it's purpse to supplement the security patches that i see is lacking in testing ( 2 or 3 months behind current releases is too far back for me ) Everybody have access to the resources used by the testing security team. If you start submitting updates there, I am sure your effort will have positive effect. There is no reason for you to wait for a debian.org domain name. If you want a new APT repository, you can create it anywhere, and if it proves to be a good idea it can be made available as test-sec.debian.org or something similar some time in the future. The information about the testing security team is available from URL:http://secure-testing.alioth.debian.org/, and the subversion repository used to track security issues is publicly available. Patch submission into BTS can be done by anyone, and NMUs can be prepared by anyone for review and upload by any Debian developer. I am convinced several of the Debian developers in the testing security team are willing to do uploads. And, when the issue is completely investigated and the patch is available, the work left for the stable security team will be much reduced. :) So, no need to wait, just go ahead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Wednesday, den 29. June 2005: On Wed, 29 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Tuesday, den 28. June 2005: You sent an email where about what and got no response? I did not see your offer to help come across the mailing list (if it is there, can you point out the URL to the message?)... i think you can search thru the debian security archives just as easily as i can or in fact even more easily since yu have a debian acct ?? Did you read the email that I referenced? It doesn't sound like you did. in either case, it doesnt matter to me if people reply or not to those that are volunteering - i go on the assumption that people get selected based on the merits or pecking order or friends of friends or ?? whatever the criteria is .. The testing-security team is not operating this way. - from this last batch of emails about security, i saw there was a bunch of folks willing to help do security work .. and i'm hoping somebody takes up the volunteer's offerings and unload some tasks or do some other forms of methodology tests I sent a message whose contents detail how to get involved in the testing-security team for those who wish to volunteer. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
On Wed, 29 Jun 2005, Micah Anderson wrote: i think you can search thru the debian security archives just as easily as i can or in fact even more easily since yu have a debian acct ?? Did you read the email that I referenced? It doesn't sound like you did. this is precisely why volunteers disappear of course i read it ... the first yime you posted and the 2nd time when you sent the same url again .. multiple times for how to volunteer somehow, magically, volunteers can become overnight experts and no handholding is needed at all or who is doing what i think there has been enough about emails in here.. and since no proactive direction is being made, i think i'll bow out of volunteering again .. but will gladly help later when things are more organized and its clear what the benefits of volunteering hundred of hrs/month would be thanx for your time in replies ... c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Wednesday, den 29. June 2005: On Wed, 29 Jun 2005, Micah Anderson wrote: i think you can search thru the debian security archives just as easily as i can or in fact even more easily since yu have a debian acct ?? Did you read the email that I referenced? It doesn't sound like you did. this is precisely why volunteers disappear I'm sorry I dont understand. Volunteers disappear because they read a message detailing how to volunteer and then don't follow those directions and then disappear? If someone wants to volunteer, then they need to do the things that are detailed about how to get involved, otherwise they are disappearing themselves. I do not understand, the directions are clear, and I reproduce them and the referenced URLs below: Any with a interest in participating are welcome to join the team, Debian Developers and others with the skills and desire to help. The team can be contacted through its mailing list[14]. There is a second mailing list[15] that receives commit messages to our repository. An alioth project page[1] is also available. Have a read of this message[16] if you are interested in participating, the details are there about how to start helping check CANs on a regular basis. http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits http://secure-testing.alioth.debian.org/ http://lists.debian.org/debian-security/2004/10/msg00166.html I note that there is no message from you found on the secure-testing-team mailing list. I am unable to find your alioth account, did you sign up for one? Did you email the secure-testing alioth project administrator to be added to the project? Did you check out the svn repository? of course i read it ... the first yime you posted and the 2nd time when you sent the same url again .. multiple times for how to volunteer Please, where in the details about how to volunteer did you get stuck so we can improve them? somehow, magically, volunteers can become overnight experts and no handholding is needed at all or who is doing what You do not need to be an expert, but you do need to be able to follow directions that are detailed for you, if directions do not make sense, ask and they will be cleared up. How magic do you want the process? i think there has been enough about emails in here.. and since no proactive direction is being made, i think i'll bow out of volunteering again .. but will gladly help later when things are more organized and its clear what the benefits of volunteering hundred of hrs/month would be The benefits of volunteering are also detailed in that email. What sort of proactive direction are you expecting? I think you have it backwards, the proactivity needs to come from you. You are right that the group is still in its infancy in terms of being organized, but how do you expect it to become organized? The only way it will become organized in a volunteer organization is if the volunteers (read: this can be you), proactively organize it. If you wish to wait until everyone else has done the work to organize the group, and then you want to come in and do something you may find that the group is organized a way that you do not like and you will regret that you did not help organize it the way you like. Micah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
hi ya micah - thanx for trying ... lets see what happens On Wed, 29 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Wednesday, den 29. June 2005: On Wed, 29 Jun 2005, Micah Anderson wrote: ... Did you read the email that I referenced? It doesn't sound like you did. this is precisely why volunteers disappear I'm sorry I dont understand. i read more into your comment about having read the prev urls or not which, like i said, i did read http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits http://secure-testing.alioth.debian.org/ http://lists.debian.org/debian-security/2004/10/msg00166.html i'll look thru hose later I note that there is no message from you found on the secure-testing-team mailing list. i posted/replied in the debian-secuirty list when joey and crew was previously looking for volunteers I am unable to find your alioth account, did you sign up for one? dont have one Did you email the secure-testing alioth project administrator to be added to the project? dont knwo the folks of who does what ..etc Did you check out the svn repository? nope ... of course i read it ... the first yime you posted and the 2nd time when you sent the same url again .. multiple times for how to volunteer Please, where in the details about how to volunteer did you get stuck so we can improve them? in my case... i suppose i'm the idiot ... since i want to do things differently ... - i'm interested in releasing xxx-latest.deb packages for testing - latest kernel, latest apache, latest php, latest xxx and in my case, and for our customers, being a month or two out of date could be a very bad thing which is why we're intrested in newer security methodology and we already do our magic inhouse for the latest xxx apps - i'm assuming that the authors and package maintainers are already doing their patches based on announced vulnerabilities and exploits, and i'm wanting to avoid re-inventing that wheel - thanx again for taking the time to reply.. and i'll spend some time on the new urls The benefits of volunteering are also detailed in that email. What sort of proactive direction are you expecting? at a minimum .. - latest kernels in *.deb form from kernel.org - latest apache from apache.org ... endless list .. I think you have it backwards, the proactivity needs to come from you. i'd like a place ( a server ) where all these packages can be kept maybe we'd just need to start, similar to what nerim.net does with mplayer*.deb unfortunately, the suits wants patches all from debian.org or inhouse, where, guess who ( me ) takes the ball and responsiblity for inhouse packages vs importing from tom-dic-n-harrry and sally-mary-janes site You are right that the group is still in its infancy in terms of being organized, its okay... good to grow but how do you expect it to become organized? replying to those wanting to volunteer is a good start... as yu have been doing .. thanx for that The only way it will become organized in a volunteer organization is if the volunteers (read: this can be you), proactively organize it. sometimes, us volunteers do NOT have the luxury to change the way things are done ... or even given 1 month to implement the next big idea and see if it works or not ... old ways are good ... its proven .. it works if the old ways does NOT address new problems ... than somebody else might solve those problems... and/or change distros If you wish to wait until everyone else has done the work to organize the group, and then you want to come in and do something you may find that the group is organized a way that you do not like and you will regret that you did not help organize it the way you like. :-) .. thusly, i'm still here ... looking and watching -- are you local ... ( silicon valley area ).. probably easier to talk face-to-face vs thru phophorous emissions - and/or with any other security team volunteer c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
hi ya On Tue, 28 Jun 2005, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: lots of people have their own requiremetns for security ... instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? - the security tasks are not that hard to implement but does require time and some fore thought - more importantly the testing prior to release of pacjkages should be 100% automated ... so that any volunteer can run the regression test suites prior to releasing patches - there is NOT one right security solution but there will be many possible solutions - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do c ya alvin
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1031 +0200]: lots of people have their own requiremetns for security ... security *is* subjective. instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do people volunteering are useless. people actually doing something are not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! a bachelor is a man who never made the same mistake once. signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tuesday 28 June 2005 11:02, martin f krafft wrote: instead of adding to the security team's tasks, and instead of writting emails, why don't we spend the time to write some scripts to do what we're expecting to be done by the security team ?? thanks for the proposal. why did you write it and not just get on with those scripts already? - yes.. i'm volunteering if there is enough folks that want to solve security problems and automate security patch releases - it's a task for debian-man .. more than what super-man or bat-man can do people volunteering are useless. people actually doing something are not. Hey! You were being so constructive and positive. Why are you now falling back to old fashioned Debian-like flaming? Before you actually start something in an area like this I think it's perfectly fair to first mail the list and get reactions. Maybe you should take a break and let others get their ideas into this thread. (Not saying that your contribution so far isn't appreciated.) Cheers, FJP pgpsrDknzNXdk.pgp Description: PGP signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Alvin Oga wrote: On Tue, 28 Jun 2005, martin f krafft wrote: thanks for the proposal. why did you write it and not just get on with those scripts already? idea if somebody at debian.org can create yaml, say [EMAIL PROTECTED], than the rest of us moaners, complainers and wanna-volunteer can get started ... debian's gods can watch and see if they like or dislike what we're doing and incorporate it into the main hierarchy or not the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out /idea personally, i pull down all the important tar balls from the originating author's site and compile it ... if the distro's version of any app is too far behind flame suit on c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1420 +0200]: if somebody at debian.org can create yaml, say [EMAIL PROTECTED], than the rest of us moaners, complainers and wanna-volunteer can get started ... Just use this list. the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! we americans, we're a simple people... but piss us off, and we'll bomb your cities. -- robin williams, good morning vietnam signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, martin f krafft wrote: Just use this list. i think the point of this list is its not moving fast enough for some folks wanting security updates the machine can be called sec-test.debian.org so that we have a way to test another security update/process/procedures out Mh, I am not sure this is viable as you guys would probably need root on the machine, which is a credibility problem when someone else hosts it... hosting a server is trivially simple... esp for a test server point test-sec.debian.org to any ip# sitting on a t1 or t3 or OC-xxx and everybody can start working on it - all other debian boxes does NOT trust it and nbody else should trust it either... it is for testing and development c y alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bad press related to (missing) Debian security - action
also sprach Alvin Oga [EMAIL PROTECTED] [2005.06.28.1451 +0200]: - all other debian boxes does NOT trust it and nbody else should trust it either... it is for testing and development I know. But what happens when someone decides to abuse it? I could host a machine, no problem. But giving root access to others is the problem. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! why didn't noah swat those two mosquitoes? signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, Jun 28, 2005 at 05:20:51AM -0700, Alvin Oga wrote: personally, i pull down all the important tar balls from the originating author's site and compile it ... if the distro's version of any app is too far behind the main point about stable security is that exactly this does not happen: i want security fixes for the versions that i have installed, not newer versions. and that's also were things get complicated... cu robert -- Robert Lemmen http://www.semistable.com signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
Alvin Oga schrieb am Tuesday, den 28. June 2005: [snip] etch/testing where are the security patches ?? - i want it to also have latest apps i care about ( latest kernels, latest apache, latest xxx, .. ) - this is the parts i'm interested in structuring for security updates as some/most security patches are fixed in later releases from the originating authors/sites and they already maintain and keep their eyes on all the announced vulnerabilities and exploits If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html micah signature.asc Description: Digital signature
Re: Bad press related to (missing) Debian security - action
On Tue, 28 Jun 2005, Micah Anderson wrote: Alvin Oga schrieb am Tuesday, den 28. June 2005: If you are interested in testing security, then there is a group working on this project. Here is some information about the history of the team, and if you read through the message there is information about how to help: http://lists.debian.org/debian-devel-announce/2005/03/msg00014.html saw that before ... and no response ... so i let it die, the assumption being, that people looking for helpers will reply to those volunteering, but i guess one has to pass the screeners requirements before getting onto the next level c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]