From 958f25630bf0925d7732f8204f8a03c208ceab7b Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Wed, 3 Dec 2014 18:28:00 +0000 Subject: first stab at some agenda items git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@30512 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- org/agenda-2015.txt | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 org/agenda-2015.txt (limited to 'org/agenda-2015.txt') diff --git a/org/agenda-2015.txt b/org/agenda-2015.txt new file mode 100644 index 0000000000..6d4364a547 --- /dev/null +++ b/org/agenda-2015.txt @@ -0,0 +1,97 @@ +Agenda for Security Team Meeting +-------------------------------- + +Workflow +======== + +- Improvements needed for dsa-needed.txt, like more automatisation? The repo + with embargoed issues isn't used much, what can we do to improve that? + +- Is RT abandoned, do we still need to clean up old issues from the security + queues? + +- Draft new people, possible candidates + +- Opening up the security process further to allow maintainers of packages with + frequent issues to release updates themselves. Needs a more detailed workplan: + - Updates need to be reviewed/acked by sec team members + + - Requires changes to dak to no longer require access to security-master, + e.g. by using a mechanism similar to allowing a DM to upload and sending + error messages to the signer of the upload (already requested by Thijs) + + - Requires changes to debian-security-announce + +Tools +===== + +- Compile a list of issues we want to see fixed + +- Make it simple to release packages for others to test, e.g. an aptable security queue, + what is needed to implement that? + +- How can we leverage autopkgtest for testing security updates in jessie? + +- Migrate to git during the weekend? Since most people are around and we'll be + actively using all tools anyway, we can fix all fallout right-away. + +Tracker +======= + +- Add a new status to differentiate between "no-dsa, if the maintainer wants + to fix in a point update go ahead" and "no-dsa, was ignored because it's + possible to backport" (this is e.g. needed to cover non-backportable issues + like CVE-2013-4148 et al. for KVM). + +- Check open bugs in the BTS, check bugs against security-tracker pseudo package + +- Support for consistency checks on source package names, e.g linux-2.6/linux + or all of the ruby packages, track package renames + +- Automatically add tags for unsupported packages + +- Automating more tasks: + + dropping "NOTE: to be rejected" when an issue is marked as REJECTED + + script to automatically merge data/next-{oldstable-,}point-update.txt + + get an overview of newly reported bugs in the Debian BTS which have + tag security (if one submits a bug not over reportbug we do not get + a copy)? + + Automatically group/reorder unassigned CVE-$year-XXXX item to have + them in one place and get a better overview? + + +Documentation +============= + +- Work on proper documentation how people can contribute + +- Remove mentions of the "testing security team" since that doesn't + seem to exist anymore + +Distribution hardening +====================== + +- What new hardening features should we tackle for stretch? + +- systemd hardening features; identify a set of important packages + +- improve detection of hardened build flags, maybe write the flags used into an + ELF section? This way it could be more reliably checked whether correct flags + were used (e.g. for binaries using fortified source, but not using any of the + functions covered by it) + +- hidepid by default + + +LTS +=== + +- Review; what is working well, how is it keeping up, we can we do to help? + +- What tool changes need to be made? + +Others +====== + +- Distribute the new security team key on + -- cgit v1.2.3