Current problems with Debian Security have led me into reconsidering
this issue which I thought about one year ago or so. Debian Security
is very crucial to our users and thus should be managed properly.
To help improve the situation I'm offering a very important job within
the Debian project. I'd like to have somebody who will help the core
Debian Security Team doing their work. This seems to be required
since all members of the Security Team have other important things to
do and still don't know how to fork(2) themselves.
This position requires:
. Discussing security problems with the Security Team, as well as
with third parties.
. Notifying the Security Team of incidents they haven't noticed
already.
. Maintaining an internal list of security incidents, both resolved
and unresolved.
. Reminding members of the Debian Security Team until they release an
advisory or decide that Debian is not vulnerable to a particular
problem.[1]
. Ensure that not only packages in stable but also in the unstable
distribution contain security fixes. This implies continuesly
kindly reminding package maintainers, eventually also preparing
releases or NMUs for unstable with help of the QA or Security Team.
. Extract security patches from other vendors' security fixes for
further investigation by the the Security Secretary or the Debian
Security Team.
. Preparing security patches together with the Debian Security Team.
This is done by:
. Reading and understanding bugtraq.
. Monitoring[2] others distributions security advisories (at least
Immunix, Trustix, EnGarde, Caldera, RedHat, SuSE, Mandrake and
Conectiva, the more the better). This should be done by
subscribing to other vendors security lists.
. Reading and understanding mail on the private list of the Debian
Security Team.
Explanations:
[1] From time to time the Security Team forgets about security issues.
It is very time-consuming doing research for old issues, but it
has to be done.
[2] This could help http://www.infodrom.ffis.de/Linux/security/, but
it is also not complete enough.
Regards,
Joey
--
The good thing about standards is that there are so many to choose from.
-- Andrew S. Tanenbaum
PGP signature
