[cut-team] Some experience with security support for testing
nico at ngolde.de
Tue Aug 31 16:49:08 UTC 2010
* Joey Hess <joeyh at debian.org> [2010-08-31 18:21]:
> Stefan Fritsch wrote:
> > Somewhere during Lenny's release cycle, all members of the testing
> > security team became also members of the stable security team. After
> > Lenny's release, there was more motivation to work on stable security,
> > and there were not many uploads to testing-security anymore. As you
> > may have noticed, there is more than enough work for stable.
> So, I knew this happened, but I still don't fully understand *why* it
From my point of view there are multiple reasons. One is the lack of manpower
and the importance of stable. At the time of lenny we were mostly 3 active
people who did all the work and sadly this situation didn't improve over time
despite asking several times for help. Since I joined the stable security team
I tried to balance my work between stable and testing a bit (note that I'm not
really active at the moment in both due to writing on my thesis) and so did
Steffen but now there is a clear lack of manpower. Additionally to this
embargoed security information has always been a problem. Traditionally the
testing-security team has no access to this kind of information while it's
imho a crucial component in keeping testing secure. We tried to work against
that a bit by starting team at testing-security.debian.net and put a few selected
people on this list but the activity on this alias has always been close to
zero. Sadly coordination between stable and testing security team never worked
at this point which is mostly so because the workflow and practices in the
stable team are very chaotic and not uniform among the members imho.
Another important problem is the view of maintainers towards testing. Most of
them don't monitor their packages for proper testing migration so getting
those packages to migrate and track was a huge additional workload that wasn't
even related to security.
I can only speak for myself but before the lenny release I've been working
several hours a day to make this happen and since lenny was released the
number of significant new contributors to this is not very high. To be honest
I don't know why and I have no idea how this could get promoted any better.
> Does that all sound about right? If so, assuming that CUT actually happens,
> it suggests that the existance of some testing-based thing with the
> project behind it and user interest, could in turn lead to renewed
> interest in providing security support for testing, both from within and
> without the current security team.
Yes this sounds right to me. The most important thing to change this imho
would be to get all members of the stable security team to work with the
security-tracker (it's important for them anyway) and thus share the workload
with the testing-security team, motivate DDs to care about migration and
find a way to motivate some fresh blood.
I have a hard time explaining the possible reasons from my side and I think
there are quite some points which contributed to this problem but I hope this
input is helpful (even though I also have to say it's imho not as bad as this
may sound, the most important problem is a manpower one).
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the cut-team