Debian Security Teams Meeting 2008
- Date
- 2008-11-28 - 2008-11-30
- Location
Linux-Hotel, Essen, Germany
- Sponsoring
Approval of DPL (travel, accommodation via SPI, Debian-UK and ffis e.V.)
Agenda
- Improve cooperation
- Infrastructure Improvements / Problems
- Less splitted groups / dak in all groups / everything in /org/security.d.o read/writeable by dak. (Put other stuff in an extra place?!) current setup is hard to work in as ftpmaster.
- Team members
- Security support of Debian Releases
- Organisation of work, ticket management, systematic stable-security triage instead of the current chaos
- Discuss potential LTS support for Lenny (funding, organisational issues)
- Beta test infrastructure
- Security support for backports.org
- Automated generation of webwml for DSAs
- Handling of Downloader packages in the Tracker (like flashplugin-nonfree)
- Better support for marking non-issues as non-issues (new tag or something similar?)
- Drop Sarge from the Security Tracker
- The Mozilla situation
- Procedures of processing individual mails to team@ and vendor-sec@ emails
- Sec_public for stable updates
- Security hardening of the archive
Attendees
Pairs refer to shared rooms.
- Florian Weimer, Moritz Mühlenhoff
- Steffen Joeris, Nico Golde
- Thijs Kinkhorst, Stefan Fritsch
- Martin Schulze, Gerfried Fuchs
NB: We'll get two 3-bed rooms, so re-shuffle needs to be done later
Notes
Infrastructure changes/improvements
- We need to more structurally handle incoming issues, and use RT for that.
- From RT we need to have regular status updates via email.
- Instruct maintainers how to report issues and updates to us.
- Email people about their packages' issues from the tracker data
Add a confirmed state to the tracker for this
- Build logs signing costs a lot of (waiting) time. Can this perhaps be done automatically?
- There's a patchset for RT that allows to use it more like a mailclient
Group divisions
- The difference between secretary and full member doesn't need to be enforced
- It's good to keep the distinction between (un)embargoed
- Inactive members should be removed in some way
Ideas for DAK improvements
- Disallow to release multi-package DSA's unless forced
- DSA-nnnn-1 and DSA-nnnn shouldn't be accepted. Should be unified.
- Uploads to *-security to ftp-master should be rejected. Is worked on.
- Changes to the templates
Summary