Announcement of long term support for Debian oldstable

1. [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable
2. (5 év a kiadás megjelenésétől számítva)
3.  
4. A következő levél témája:
5. „Ez egy előzetes értesítés, hogy a rendszeres biztonsági támogatás a Debian GNU / Linux 6.0 (kódnevén "squeeze") 2014. május 31-én megszűnne,
6. # Egy újabb kiadás megjelenése után egy évig tart a Debian biztonsági frissítési támogatása az oldstable verzióra.
7. azonban mi örömmel jelentjük be, hogy az oldstable disztribúció, a Debian Squeeze részére a biztonsági támogatást meg fogjuk hosszabbítani, 2016. februárig, vagyis öt évvel a - most oldstable - kiadás megjelenésétől számítva. Ez a törekvés (LTS - Long Term Support) vezérli a különböző érdekelt feleket / vállalatokat, amelyeknek így az igényeit a hosszabb biztonsági támogatásra jobban ki tudjuk szolgálni ...”
8.  
9. #####
10. Kapcsolódó hivatkozások:
11. - DebianSqueeze
12. https://wiki.debian.org/DebianSqueeze
13. - DebianReleases
14. https://wiki.debian.org/DebianReleases
15. - Debian “squeeze” Release Information
16. http://www.debian.org/releases/squeeze/
17. - DebianOldStable
18. https://wiki.debian.org/DebianOldStable
19. #####
20.  
21. A levél
22.  
23. - -------------------------------------------------------------------------
24. Debian Security Advisory DSA-2907-1 [email protected]
25. http://www.debian.org/security/ Moritz Muehlenhoff
26. April 16, 2014 http://www.debian.org/security/faq
27. - -------------------------------------------------------------------------
28.  
29. This is an advance notice that regular security support for Debian
30. GNU/Linux 6.0 (code name "squeeze") will be terminated on the 31st of
31. May.
32.  
33. However, we're happy to announce that security support for squeeze is
34. going to be extended until February 2016, i.e. five years after the
35. initial release. This effort is driven by various interested parties /
36. companies which require longer security support. See the "LTS" section
37. of https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
38. for the initial announcement.
39.  
40. The details are currently being sorted out and a more detailed
41. announcement will be made soon.
42.  
43. Brief advance FAQ (but you should really wait for the more detailed
44. announcement):
45.  
46. Q: What's the difference between regular security support and the LTS
47. support?
48. A: squeeze-lts is only going to support i386 and amd64. If you're
49. running a different architecture you need to upgrade to Debian 7
50. (wheezy). Also there are going to be a few packages which will not
51. be supported in squeeze-lts (e.g. a few web-based applications
52. which cannot be supported for five years). There will be a tool to
53. detect such unsupported packages.
54.  
55. Q: Does this mean that Debian 7 (wheezy) and/or Debian 8 (jessie) will
56. have five years security support as well?
57. A: Likely, we'll see how squeeze-lts turns out. If there's sufficient
58. support it will be continued for later releases as well. Also, see
59. below.
60.  
61. Q: Is additional help needed?
62. A: Absolutely. squeeze-lts is not handled by the Debian security team,
63. but by a separate group of volunteers and companies interested in
64. making it a success (with some overlap in people involved). So, if
65. you're a company using Debian and seeing a benefit in security
66. support for five years, get in touch with [email protected]
67. and we'll see how you can help (if you e.g. don't have the manpower /
68. know how but are willing to contribute, we can point you to a list
69. of Debian consultants)
70.  
71. Mailing list: [email protected]
72.  
73.  
74. A levélben hivatkozott oldal
75. https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
76. tartalma:
77.  
78. [Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]
79. Bits from the Security Team
80.  
81. To: [email protected]
82. Subject: Bits from the Security Team
83. From: Moritz Muehlenhoff <[email protected]>
84. Date: Wed, 5 Mar 2014 20:03:01 +0100
85. Message-id: <[email protected]>
86. Mail-followup-to: [email protected]
87.  
88. -----BEGIN PGP SIGNED MESSAGE-----
89. Hash: SHA1
90.  
91.  
92. The Debian Security Team met on the first weekend of February at the
93. Linux Hotel in Essen (along with an FTP master for archive/dak-related
94. issues). Here's a summary of what was discussed and done. It also
95. lists various useful tasks for which volunteers are welcome in order
96. to speed things up.
97.  
98. Attendees: carnil, corsac, fw, jmm, luciano, geissert, ganneff
99.  
100. Debian Security Tracker
101. - -----------------------
102.  
103. * In some cases source packages get renamed, e.g. the source package
104. for the Linux kernel was called "linux-2.6" in oldstable and is
105. "linux" in stable and later. Other examples are the various Ruby
106. packages which got renamed from libfoo-ruby to ruby-foo. These
107. renames currently need to be tracked manually. We're planning to
108. automate these. If anyone wants to help and implement it, please see
109. #738172
110.  
111. * We've discussed whether older release information should be kept in
112. the database. There are some performance issues to be considered
113. since the tracker data gets rebuild with every commit, but adding
114. support for oldoldstable is still well within the limits of the
115. system running the Debian Security Tracker.
116.  
117. * debsecan is a tool which is closely related to the Security Tracker:
118. It uses the tracker data and outputs a list of all open
119. vulnerabilities affecting a given system. There's currently not much
120. development going into debsecan since people are busy with other
121. topics. If anyone is interested in joining the debsecan
122. maintenance/development (there's a certain level of interest since
123. several patches are submitted to the BTS), debsecan can be moved to
124. collab-maint. If anyone's interested please send a mail to
125. [email protected]
126.  
127. * We're considering to periodically send notifications of open
128. vulnerabilities to maintainers. While we usually file bugs for all
129. security bugs sometimes issues fall through the cracks and an
130. additional reminder will be useful. We're planning to perform a test
131. run and check on how to proceed from there.
132.  
133. * There are quite some vulnerabilities which are addressed in Debian,
134. but for which no CVE identifier has been assigned. Since the CVE
135. assignments are monitored by other parties, getting IDs
136. assigned is useful for the open source community at large. They are
137. currently tracked at
138. https://security-tracker.debian.org/tracker/data/fake-names , if
139. anyone is interested in coordinating CVE assignments, please get in
140. touch with [email protected]
141.  
142. * Currently dak doesn't send out error and upload processing messages
143. to uploaders to security-master. This is done to prevent information
144. leaks of erroneous uploads of embargoed vulnerabilities and public
145. mailing lists in the Maintainers: stanza of a package. Error
146. messages will be sent to the primary email address of the PGP key of
147. the uploaders (which prevents information leaks).
148.  
149. Security release workflow
150. - -------------------------
151.  
152. * We tried using Request Tracker for some time now. This hasn't
153. worked out to our satisfaction, so we have already switched to track
154. pending security updates with a text file in our Subversion
155. repository. We were still using RT for non-public issues, but we're
156. planning to track these in an external, private Subversion
157. repository in the future. Most of the documentation has already
158. been changed, a change to the developer's reference is pending.
159.  
160. * Historically we've included the vulnerability type and the scope of
161. a security issue in our DSAs. This has become mostly redundant and
162. confusing (and it's covered in the advisory text anyway), so we've
163. started to no longer include these in current advisories.
164.  
165. * The PGP key of the security team is currently handled in a traditional
166. manner. Our current key expires in September 2015 and we're planning
167. to move to smart cards for managing the key in the future.
168.  
169. * We're currently using Subversion. We discussed changing to git, but
170. git doesn't offer significant benefit for our purpose so we decided
171. to stick with it. However, we're planning a rename of the repository
172. which is still named after the secure-testing project which is no
173. longer active and is confusing people.
174.  
175. * Many packages are easily testable, but some packages are more
176. intricate to setup or they require special purpose hardware. We're
177. planning to keep a list of willing testers, so if you're running any
178. of the packages below and are available for tests, please send a
179. mail to [email protected]:
180. pidgin, openjdk-6, openjdk-7, drupal6, drupal7, asterisk, quagga,
181. nginx, torque, openswan, roundcube, typo3, bind9, tomcat6/tomcat7,
182. mediawiki and gridengine.
183.  
184.  
185. Security archive
186. - ----------------
187.  
188. * In order to avoid bottlenecks and to open up the security process
189. further we're planning to allow maintainers which are not part of
190. the security team to release security updates on their own. This
191. applies to packages which have frequent vulnerabilities and where
192. the maintainers are involved in the update process anyway. The exact
193. details still need to be sorted out and some archive changes are
194. required as well. Currently the release of a security update
195. requires a login to security-master. We're planning for a mechanism
196. similar to the procedure to allow upload privileges to DM;
197. i.e. uploading a signed control message which triggers the actual
198. update (probably with some tool like dcut). In a later step the
199. advisory mail could be sent out by dak itself.
200.  
201. * In the past dak provided support for two distinct queues on
202. security-master; one public and one for private security
203. vulnerabilities. This feature is currently non-functional due to
204. changes in dak development in the past, but we're planning to
205. re-enable it again. This will allow us to make all public security
206. updates initially available through a separate apt source prior to
207. the release of a DSA (there's usually a delay between the initial
208. upload of a fixed package and the release, e.g. to sort out further
209. tests or to wait until all architectures are built). For non-private
210. issues making this change opens to wider testing of upcoming
211. security updates and furthermore earlier availability of updates for
212. Debian-derived distributions based on oldstable/stable.
213.  
214. * We had occasional problems of mismatched tarballs between
215. security-master and ftp-master. These are automatically detected and
216. rejected when the security update is later merged into stable. These
217. are now automatically detected and rejected when processing an
218. upload to the security queue. Code which checked these during the
219. upload was already available in dak and has been enabled during the
220. meeting.
221.  
222.  
223. Others
224. - ------
225.  
226. * We're tentatively aiming for another Security Team meeting at the
227. beginning of 2015. At that time Jessie will be in freeze which is a
228. good opportunity to plan for jessie/jessie+1.
229.  
230. * In some cases the scope of security support needs to be limited (e.g
231. webkit-based browsers in Wheezy) and sometimes packages need to
232. end-of-lifed before the security support time frame ends. Currently
233. this information needs to be retrieved from the release notes or
234. announcement mails. We'd like to see a more technical solution which
235. displays the unsupported packages for the installed packages on a
236. specific system. If anyone wants to work on such a script, please
237. contact [email protected] and we can hash out the details.
238.  
239. * Our documentation is currently spread across (too) many
240. places. We're planning to create a one-stop site
241. http://security-team.debian.org which links all information wrt to
242. working/contributing on security, e.g. links to the security
243. tracker, introduction information, links to useful wiki pages etc.
244. Some preliminary work has already started - e.g. converting the docs
245. to MarkDown.
246.  
247.  
248. Distribution hardening
249. - ----------------------
250.  
251. * The distribution hardening using dpkg-buildflags is coming along
252. nicely. Coverage of security-sensitive packages and of all packages
253. with priority:standard or above is above 95%. Some packages still
254. need to be addressed or NMUed, please get in touch with
255. [email protected] if you want to help out.
256. Coverage of the rest of the archive is also making nice progress, if
257. you're a maintainer and haven't fixed our packages yet, see
258. https://wiki.debian.org/HardeningWalkthrough for more documentation.
259.  
260. * GCC 4.9 introduces an improved version of stack protection
261. (-fstack-protector-strong). We're planning to propose this to the
262. dpkg-buildflags once GCC 4.9 is the default compiler.
263.  
264. * We're planning to request for hidepid to be enabled by default (to 1).
265. This will squash an entire class of information leaks. If you have any
266. comments or objections, please get in touch with us.
267.  
268. * Since Wheezy the Linux kernel features a security mechanism which
269. nullifies many symlink attacks (fs.protected_symlinks). We're
270. planning to treat any vulnerabilities which are rendered moot by
271. this protection as non-issues. If you're using custom Linux kernels
272. builds you need to enable this option. kfreebsd (currently a
273. technology preview) and Hurd (currently not a release arch) don't
274. implement this security feature. We welcome feedback from the
275. porters whether similar protections exist or whether they're
276. feasible within the jessie release time frame.
277.  
278.  
279. LTS
280. - ---
281.  
282. * At the moment it seems likely that an extended security support
283. timespan for squeeze is possible. The plan is to go ahead, sort out
284. the details as as it happens, and see how this works out and whether
285. it is going to be continued with wheezy.
286. The rough draft is that updates will be delivered via a separate
287. suite (e.g. squeeze-lts), where everyone in the Debian keyring can
288. upload in order to minimise bottlenecks and allow contributions by
289. all interested parties. Some packages will be exempted upfront due
290. to their volatile nature (e.g. some web applications) and others
291. might be expected to see important changes. The LTS suite will be
292. limited to amd64 and i386. The exact procedures will be sorted out
293. soon and announced in a separate mail.
294.  
295. * It needs to be pointed out that for this effort to be sustainable
296. actual contributions by interested parties are required. squeeze-lts
297. is not something that will magically fall from the sky. If you're
298. dependent/interested in extended security support you should make an
299. effort to contribute, either by contributing on your own or by
300. paying a Debian developer/consultant to contribute for you.
301. The security team itself is driving the effort, NOT doing it. Some team
302. members will contribute to it individually, however.
303.  
304. * Anyone interested in contributing, please get in touch with
305. [email protected]. We'll setup an initial coordination list
306. with all interested parties. All policies / exact work will be
307. sorted out there.
308.  
309.  
310. Full minutes can be found at http://titanpad.com/secteamessen2014 and an
311. archived version can be found at
312. http://anonscm.debian.org/viewvc/secure-testing/doc/secteamessen2014-latest.txt?view=markup
313.  
314.  
315.  
316. -----BEGIN PGP SIGNATURE-----
317. Version: GnuPG v1 -----END PGP SIGNATURE-----
318.  
319. Reply to:
320.  
321. [email protected]
322. Moritz Muehlenhoff (on-list)
323. Moritz Muehlenhoff (off-list)
324.  
325. Prev by Date: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
326. Next by Date: Debian Contributors want YOUr data source!
327. Previous by thread: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!
328. Next by thread: Debian Contributors want YOUr data source!
329. Index(es):
330. Date
331. Thread