also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.28.0025 +0200]:
> In short, I see no downsides to helping out the testing security team
> while we at the same time try to address the issues with stable
> security work.
I was not trying to suggest so. The testing security team is a tru
[Martin F Krafft]
>> And prospective security team members should start working in the
>> testing security team. There are no need to keep secrets (all is done
>> in public),
>
> Which doesn't address the problem that embargoed bugs are possibly
> handled suboptimally in Debian.
>
> And it does n
also sprach Petter Reinholdtsen <[EMAIL PROTECTED]> [2005.08.27.2255 +0200]:
> I've been told that the current stable security team consist of one
> person doing the work, Martin Schulze. If this "team" do not want new
> members, something strange is afoot.
At least one other member is working ac
[Florian Weimer]
> Correct me if I'm wrong, but the current team doesn't seem to want
> new members.
I've been told that the current stable security team consist of one
person doing the work, Martin Schulze. If this "team" do not want new
members, something strange is afoot.
And prospective sec
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1107 +0200]:
> > Do we have a security team for stable? I know, that we have a
> > security team for testing consisting of nine DDs and ten
> > non-DDs, but it seems to me, that stable is handled by Joey
> > alone. Has this changed since
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.2019
+0200]:
> Show how much they know about Solaris security. Still, why don't you drop
> by IRC and try to talk to Branden and Joey?
Branden is offline, and Joey can't be bothered to talk about this
stuff with me, it seems
On Sat, 27 Aug 2005, martin f krafft wrote:
> security; ever additional day hurts the project reputation severely,
> at least here in Germany and Switzerland. I have clients (one of
> which is a major German bank) voicing their concerns and considering
> switching away from Debian to Solaris becaus
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1720
+0200]:
> Huh? They probably do, for all I know. Whether they have people
> they trust for the job right now is something else, though. We
> can probably expect
It's hard to tell for the requirements are not publicly av
On Sat, 27 Aug 2005, Florian Weimer wrote:
> * Henrique de Moraes Holschuh:
> > On Sat, 27 Aug 2005, Florian Weimer wrote:
> >> I don't think so. Joey seems to be satisfied with this situation, and
> >> apart from unanswered email messages to <[EMAIL PROTECTED]>, there
> >> are few complaints, AFA
On Sat, 27 Aug 2005, Henrique de Moraes Holschuh wrote:
> For this to work, you need a master s.d.o mirror, and automatic signing (so
> that you can keep the timestamping as low as a few hours). This gives you a
> mirror network, with the same single "owning" point of failure we have right
> now.
also sprach Florian Weimer <[EMAIL PROTECTED]> [2005.08.27.1648 +0200]:
> Correct me if I'm wrong, but the current team doesn't seem to want
> new members. If you nevertheless force new members upon them, you
> are in fact looking for a complete replacement. This is what
> I call "drastic".
When
* martin f. krafft:
> FWIW, Florian sent me this interesting link:
> http://www.cs.berkeley.edu/~nweaver/0wn2.html
This is was only intended as an explanation of the term "single point
of ownership". I don't agree with Nicholas Weaver's analysis.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED
Hi martin!
On Sat, 27 Aug 2005, martin f krafft wrote:
> also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540
> +0200]:
> > > security.debian.org already is a Single Point of Ownership. I don't
> > > think we need multiple ones, so this is definitely a post-etch thing.
>
* martin f. krafft:
> also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540
> +0200]:
>> > security.debian.org already is a Single Point of Ownership. I don't
>> > think we need multiple ones, so this is definitely a post-etch thing.
>>
>> Irrelevant if secure apt is depl
* Henrique de Moraes Holschuh:
> On Sat, 27 Aug 2005, Florian Weimer wrote:
>> * martin f. krafft:
>> > I think Alvin was alluding to how it *should* be solved. As in: we
>> > should have more than one security server, globally spaced.
>>
>> security.debian.org already is a Single Point of Owners
* Petter Reinholdtsen:
> The count of open security issues in stable and oldstable is probably
> a better measuring meter, and it does not look too good.
Security support is a task for Debian as a whole, not just the
security team. IMHO, the main role of the security team is
information sharing,
also sprach Rudolf Lohner <[EMAIL PROTECTED]> [2005.08.27.1651 +0200]:
> This scenario could be avoided if s.d.o would authenticate itself.
> Is authentication of the server something which has been considered
> with secure apt?
I'v suggested this before but never had the time to implement it.
Pat
Am Samstag, 27. August 2005 15:44 schrieb martin f krafft:
> No. Imagine exim gets a root exploit and I spoof the DNS to some
> mirror of s.d.o. That mirror will be consistent wrt secure APT, but
> it won't get updates, so admins who don't follow DSAs and run
> apt-get upgrade consciously and caref
* Henrique de Moraes Holschuh:
> On Sat, 27 Aug 2005, Florian Weimer wrote:
>> I don't think so. Joey seems to be satisfied with this situation, and
>> apart from unanswered email messages to <[EMAIL PROTECTED]>, there
>> are few complaints, AFAIK. The email part is very unfortunate indeed,
>> b
On Sat, Aug 27, 2005 at 11:07:21AM +0200, Florian Weimer wrote:
> apart from unanswered email messages to <[EMAIL PROTECTED]>, there
> are few complaints, AFAIK. The email part is very unfortunate indeed,
I'm not entirely happy with the lack of redundance.
Given the (not only commercial) signifi
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540
+0200]:
> > security.debian.org already is a Single Point of Ownership. I don't
> > think we need multiple ones, so this is definitely a post-etch thing.
>
> Irrelevant if secure apt is deployed correctly.
No. Imagine
On Sat, 27 Aug 2005, Florian Weimer wrote:
> I don't think so. Joey seems to be satisfied with this situation, and
> apart from unanswered email messages to <[EMAIL PROTECTED]>, there
> are few complaints, AFAIK. The email part is very unfortunate indeed,
> but it probably doesn't warrant drastic
On Sat, 27 Aug 2005, Florian Weimer wrote:
> * martin f. krafft:
> > I think Alvin was alluding to how it *should* be solved. As in: we
> > should have more than one security server, globally spaced.
>
> security.debian.org already is a Single Point of Ownership. I don't
> think we need multiple
[Florian Weimer]
> I don't think so. Joey seems to be satisfied with this situation,
> and apart from unanswered email messages to <[EMAIL PROTECTED]>,
> there are few complaints, AFAIK.
I'm not sure if the satisfaction of Martin Schulze is a good measuring
stick to judge the quality of the stabl
* W. Borgert:
> Do we have a security team for stable? I know, that we have a
> security team for testing consisting of nine DDs and ten
> non-DDs, but it seems to me, that stable is handled by Joey
> alone. Has this changed since the havoc a few months ago?
I don't think so. Joey seems to be
* martin f. krafft:
> I think Alvin was alluding to how it *should* be solved. As in: we
> should have more than one security server, globally spaced.
security.debian.org already is a Single Point of Ownership. I don't
think we need multiple ones, so this is definitely a post-etch thing.
--
T
26 matches
Mail list logo
