On Sat, Jul 07, 2007 at 05:15:49PM +0200, Moritz Muehlenhoff wrote: > > debtags seemed the most passable choice. I believe we need: > * [etch|lenny]-security-unsupported to flag that a source package has no > support by the Security Team. It should be distribution-specific to > allow revoking support for individual suites, as it was necessary for > Mozilla in Sarge.
Naturally, this should be used sparingly and even then only when absolutely necessary. The Sarge Mozilla is an excellent example of that. The security team did everything it could and then only was support suspended as a last resort. > * local-use-only (or something similar, I'm unsure about the exact naming), > to indicate that security support only applies to local, trusted users. > An example: SQL-Ledger has a horrible security track record, so we only > support to run it behind an authenticated HTTP zone. It's still a useful > software and limiting support is a viable choice; doing accounting carries > a whole lot of implicit trust anyway. > I agree with this in principle. However, if "limited" security support is something which will be an official part of the security team's support, then there must be guidelines. That is, the security team (or the package maintainer with the approval of the security team) should provide guidelines as to exactly what security support will provided and what security support will not be provided. IIRC, something like this has already been done for PHP regarding safe mode. In this way, administrators can know which configurations will receive security support and which will not. I would recommend that if this is to be come something that applies to more than one or two packages, then a new file needs to be introduced. Call it SECURITY.Debian (similar to README.Debian). That way, the mere existence of the file alerts the user/admin to special considerations which need to be examined for that package's security support. The admin can then read the contents of the file to find the security team's position on supporting that package. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
