[Date Prev][Date Next][Thread Prev][Thread Next][Date Index ][Thread Index ]

Re: Launchpad supporting features for Ubuntu security support

To: Justin Dugger <jldugger@xxxxxxxxx>
Subject: Re: Launchpad supporting features for Ubuntu security support
From: William Grant <william.grant@xxxxxxxxxxxxx>
Date: Wed, 14 Nov 2007 09:54:51 +1100
Cc: launchpad-users@xxxxxxxxxxxxxxxxxxx
In-reply-to: <816bc7510711131440w397708d7w73487c9f4075bad8@xxxxxxxxxxxxxx>
List-archive: <https://lists.ubuntu.com/archives/launchpad-users>
List-help: <mailto:launchpad-users-request@lists.canonical.com?subject=help>
List-id: Discussion for Launchpad users <launchpad-users.lists.canonical.com>
List-post: <mailto:launchpad-users@lists.canonical.com>
List-subscribe: <https://lists.ubuntu.com/mailman/listinfo/launchpad-users>, <mailto:launchpad-users-request@lists.canonical.com?subject=subscribe>
List-unsubscribe: <https://lists.ubuntu.com/mailman/listinfo/launchpad-users>, <mailto:launchpad-users-request@lists.canonical.com?subject=unsubscribe>
References: <1194948321.6234.19.camel@xxxxxxxxxxxxxxxxxxxxxx> <816bc7510711131440w397708d7w73487c9f4075bad8@xxxxxxxxxxxxxx>

On Tue, 2007-11-13 at 16:40 -0600, Justin Dugger wrote:
> On Nov 13, 2007 4:05 AM, William Grant <william.grant@xxxxxxxxxxxxx> wrote:
> > Hi all,
> >
> > Ubuntu security support outside main and restricted is currently...
> > well... terrible would be the best way to describe it. This needs to be
> > fixed in the immediate future, and is largely because we don't have the
> > resources to watch for the insanely large number of issues that seem to
> > crop up.
> 
> Ubuntu has never promised more than volunteer best efforts outside these
> two categories.  If you rely on software outside of main and need dedicated
> security experts reviewing things, it's probably best to hire someone for the
> task.

I know that... I may not have made this apparent in the original email,
but I am one of the MOTU backporting security patches and generally
trying to keep universe and multiverse secure. My point was that *we*
need help from Launchpad to do much, due to our incredible lack of
manpower.

> > Malone has its (apparently very unfinished) CVE tracking abilities, but
> > there's no way to triage CVEs, for example. It would be nice to be able
> > to exclude RESERVED CVEs from the list, and have an easy `not for us'
> > button if they are for software not included in any Ubuntu release. The
> > list is currently simply too massive to do anything useful with.
> 
> There are teams associated with Universe / Multiverse security.  It might
> be wise to approach them and see what features they feel they need,
> and bring a more productive conversation back to LP when better cooked.

See above for the first bit, and I think the second bit is fairly well
covered already, but needs more discussion with Launchpad folks. Hence
the email to here.

> > Part of this solution may be integration with Debian's security tracker
> > (http://security-tracker.debian.net), which has people already sifting
> > through CVE lists and working out what is applicable where, and what
> > not. Retrieving and interpreting data from their lists - integrating it
> > into the CVE and bug listings - would certainly help with keeping Ubuntu
> > releases secure.
> 
> It would help, but part of the process is sifting through released packages
> looking for similar code.  This is a work-hours related thing, that Universe
> simply cannot sustain with the current number of volunteers.

As you probably know, we carry very, very similar code to Debian.
Integrating with their security-tracker would minimise the workload on
each distribution, as most of the work could be shared.

> > Another possibility is to simply track Ubuntu releases in the Debian
> > security tracker as well, but doing it in Launchpad is likely a better
> > idea. All of our bugs are already there, and the multi-task bugs allow
> > easy tracking in every release, and other distributions or upstreams.
> 
> I think you're placing far too much faith in the ability of Ubuntu to get Debian
> to do anything ^_^

I have had initial discussion with some members of the Debian Secure
Testing group, and they seem happy to work with us to give the security
tracker Ubuntu support, or similar. Using that alone is suboptimal,
however, because everything else is already tracked in Launchpad.

> > Ideally, we would have the facilities to efficiently and effectively
> > manage security support for Ubuntu in place by the time 8.04 LTS is
> > released, allowing us to keep it secure from day 1, until the end of the
> > 5-year support period.
> 
> It's great that you're bringing up LP flaws and missing features that can
> make this process go faster, but fundamentally I think the problem is
> one of people power.  There's simply a lot of packages in Universe, and
> far fewer people paying attention to them than Debian.  I think some way,
> perhaps monetary, needs to entice people into doing that work.

The problem is one of manpower, definitely. However, additional support
from Launchpad would ease the workload significantly, possibly even
reducing the time required for sifting through thousands of CVEs to
feasible levels.

-- 
William Grant

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- Launchpad supporting features for Ubuntu security support
  - From: William Grant
- Re: Launchpad supporting features for Ubuntu security support
  - From: Justin Dugger

Prev by Date: Re: Launchpad supporting features for Ubuntu security support
Next by Date: error
Previous by thread: Re: Launchpad supporting features for Ubuntu security support
Next by thread: Re: Launchpad supporting features for Ubuntu security support
Index(es):
- Date
- Thread

This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.

(Formatted by MHonArc.)