HardySecuritySupport

Security Support for hardy

Do not do releases from PPA, as they can not be signed. (but they should)
- I use PPA as a build daemon, and can still verify that it was my upload right? (I think you can verify it came from your launchpad user, but not that it was the same person that owns your gpg key)

  • - if someone else uploaded as my username, at least it would email me twice. Also, shouldn't launchpad only accept it from my user if it was signed with the key I have for me in launchpad? (Seemingly LP doesn't yet support that) -- so does launchpad just accept any key? -- it will accept any Changed-By or Maintainer, but you can always tell the account to which the uploading key belongs, on +archive.

UM&E also has some universe packages to support and some proprietary packages.

It would be nice to be able to let the security team scan the private archive to notify the customer of security issues.

The MSG team has many repositories to manage, similarly to UM&E.

  • We need a separate archive for UME release:

    • - signed
      - controlled inputs:

      • not everybody can upload

      • we can port our changes and users wont see the "hardy" security update before the ume updated version

      - testing

Security team is using misc tools to do QA on security uploads and a security tracker.

* ACTION: KeesCook to send pointers to these.

One solution: Whenever security team releases update, get patch directly from them (deb diffs)

* ACTION: LoicMinier to provide details about seeds used in ume to Kees (DONE)

Create a mailing-list where we send all security updates debdiffs.

Provide list of packages and repos to security team (seed) to watch for security updates

Kernel security issues: [ We need to check security issues in additional drivers and backported code.

Currently not a full time resource to oversee kernel security issues
Mobile would need to provide a contact point to review issues

Security team proposes to send all CVEs for kernel and universe packages to some contacts. We still need someone to do the checks/updates.

Concerning Universe security updates, there's no announce yet; we should start sending UUSN (Ubuntu Universe Security Notices).

We can fold the hardy-security, hardy-updates, hardy-proposed, hardy, and mobile repos into a single one.

MobileAndEmbedded/HardySecuritySupport (last edited 2008-08-06 16:36:04 by localhost)