On Tue, 9 Nov 2010 22:45:21 +0100, Julien Cristau wrote: > Hi, > > I'm trying to figure out what we need for security support for squeeze. > One blocker I know of is the dak upgrade on security-master, are there > other things needed on the security team's side? > > The release notes also need an update regarding security support. We > currently have the following text: > > > <section id="mozilla-security" condition="fixme"> > > <title>Security status of Mozilla products</title> > > <para> > > <indexterm><primary>Mozilla</primary></indexterm> > > The Mozilla programs <systemitem role="package">firefox</systemitem>, > > <systemitem role="package">thunderbird</systemitem>, and > > <systemitem role="package">sunbird</systemitem> (rebranded in Debian to > > <systemitem role="package">iceweasel</systemitem>, <systemitem > > role="package">icedove</systemitem>, and <systemitem > > role="package">iceowl</systemitem>, respectively), are important tools for > > many users. Unfortunately the upstream security policy is to urge users to > > update to new upstream versions, which conflicts with Debian's policy of not > > shipping large functional changes in security updates. We cannot predict it > > today, but during the lifetime of &releasename; the Debian Security Team > > may come to a > > point where supporting Mozilla products is no longer feasible and announce > > the > > end of security support for Mozilla products. You should take this into > > account when deploying Mozilla and consider alternatives available in > > Debian if > > the absence of security support would pose a problem for you. > > </para> > > <para> > > <systemitem role="package">iceape</systemitem>, the unbranded version > > of the <systemitem role="package">seamonkey</systemitem> internet > > suite has been removed from &releasename; (with the exception of a few > > internal library packages). > > </para> > > </section> > > I suspect that this is still valid (excluding the part about iceape, > which is back in squeeze). Should we add a blurb about the webkit-based > browsers (epiphany, chromium, konqueror, others?)? If so would anybody > like to propose wording? > > > <section id="webservice-security" condition="fixme"> > > <title>Security status of OCS Inventory and SQL-Ledger</title> > > <para> > > <indexterm><primary>OCS Inventory</primary></indexterm> > > <indexterm><primary>SQL-Ledger</primary></indexterm> > > The webservice packages <systemitem > > role="package">ocsinventory-server</systemitem> and <systemitem > > role="package">sql-ledger</systemitem> are included in the &releasename; > > release but have special security requirements that users should be aware of > > before deploying them. These two webservices are designed for deployment > > only behind an authenticated HTTP zone and should never be made available to > > untrusted users; and therefore they receive only limited security support > > from the Debian security team. Users should therefore take particular care > > when evaluating who to grant access to these services. > > </para> > > </section> > > Has this changed (I guess not)? Are there other webapps in this > category? > > Finally, are there other packages we know have limited security support, > and should be mentioned there?
You may want to mention that openjdk-6 and sun-java-6 don't receive security support/updates. I'm not sure if whether this is a security team policy decision, or whether its simply a de facto state due to lack of interest. The last DSA for openjdk was in April 2009 even though there have been about 100 CVEs issued for it since then. Mike -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101110160805.6254a02a.michael.s.gilb...@gmail.com
