What follows is a summary of the first testing-security meeting held at Oldenburg September 22, 2005 with joeyh, micah, jmm, lamont in attendance:
. Discussed stable security and Brandon's arrival and what
testing-security can offer to help with stable-security issues
. transparency of stable security - tracking tools
. stable is primarily responsible for embargoed issues
. Discussed vendor-sec criteria and if it made sense for
testing-security people to try and obtain it. The general
consensus was that the majority of the issues we deal with are already
public or get fixed in such a short time that we do not need to have
access to embargoed issues.
. Discussed each person's work-flow to get an idea of what lists/websites
each of us monitor and ways that we identify problems/fixes. Getting these
things documented would help identify what is missing and what new people
can help with.
. watching for holes:
watch/scan bugs that are tagged in the BTS
lists: bugraq, bug-dists, debian-devel-changes (should filebugs, tag
security), full disclosure, lkml
"exploit tree" as potentially useful if we could manage to track it
. checking for the existence of packages affected by issues:
search for ITP
check for previous advisory
check packages.debian
apt-cache search
. couple times a week, open each bug on testing-security page tabs and check
to see if they are closed
NOTE: if a CVE advisory says fixed in version 1.5 and later, you should not
trust this and see
if it is vulnerable in versions prior if they are in debian
. We talked about some of the issues on Mortiz' email, and identified some
interesting things to work on:
tsck:
make it just svn update the secure-testing list, but not the html page,
or smaller subset
adapt it to the new syntactical changes to the list (urgencies etc.)
user-tags:
use testing-security, mark as reviewed, also mark bugs that have a CVE
id with that ID
retroactive list clensing:
go through CAN/list to retroactively add not-affected to issues that do
not have it
perhaps add more tags that fw has created
documentation issues:
overview of developer's reference changes (micah is working on making
these changes)
DTSA criteria:
we only identified that we should figure this out
agreeing on severity levels and embedded source/removed packages so it
can be documented
workflow overview
Others:
We didn't get through the whole list, but will at later meetings
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
