Bugsquad membership
halfdog
me at halfdog.net
Sat Feb 13 05:21:02 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello List,
As fixing of security bugs might be quite laborious thus inducing
delays, bugs believed to be minor security issues might backfire later
on, e.g. like with [0] resulting in [1] later on. As the whole process
of detection of security bugs to fixing often takes month, sometimes
even years, I would like to join bugsquad to coordinate and create
fixes for at least some of the bugs I reported, e.g. [2]. Bugsquad
membership should make it easier then to have a clean bug state after
triage to start with [3], thus for the Ubuntu Security team just to
review the updated package diffs and take over the package.
As I do not have deep insights into the bugsquad team management daily
operations, does this make sense or is this contribution too minor to
accept the membership-associated overhead for bugsquad management?
If membership has a net gain, could someone please subscribe me to the
team?
If you wonder, why e.g. [0], [1] were reported to Ubuntu via e-mail
but not via Launchpad: As it would be the most natural thing for e.g.
NSA, China, ... (those with capabilities to monitor large amount of
network traffic) to just record all mails from large-scale Linux
distribution issue tracking systems containing the keyword "security",
and as this is very cheap way to get to near-zero day material, I
would assume, that this is already done. Hence really critical
security material perhaps should not go to Launchpad or Launchpad
could be modified to send security issues only in encrypted mails
without talkative title, members without key should get only message
"Bug [Number]: Info changed" including the HTTPS link to the issue.
Kind regards,
hd
[0]
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
[1]
http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
[2] https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAla+vTIACgkQxFmThv7tq+6DRACfWcFN8rmnL/L9lh6eWz86EfZF
c4cAnA7LO1tzDPQwSbFbzQKbUeFxczDQ
=hfyN
-----END PGP SIGNATURE-----
More information about the Ubuntu-bugsquad
mailing list