 No, I got into the right area. I think this is a little bit of one thing. It's loose. Okay, I thought it might be perhaps a little bit helpful to have a discussion that says is there any possibility from the WPA group point of view to help the security team? In what way ever? I just wanted to have some input from you. Let's just see if we can... If you have any answers there, how we could help? We can't. The infrastructure is restricted. Security information is restricted to security information. We can't get access to it. And most of the police and the process of doing security now don't want help. So we are fine. There's a list of 70 public security problems in this table. What I didn't mean to... If you want to get to the other side, not to always find a place to stay, we might want to start collecting some facts. For example, people who have actually worked with us, or have tried to work with us as a security team, what their experience is, where it was possible to help or not to help them. It's also perhaps... I think the other reason is a shared fact. We should perhaps share some more facts before we go to the analysis. In the most cases, for example, for us, some vertical services in a forum can get stopped. If you want some input on that, just as I did, if you want. I think we can give from the volatile point of view some facts. We had several problems with clama file and volatile, which had security issues. From that, we learned very, very fast that working together with the security team is no big problem. They have, at least for us, they had a reaction time within 24 hours, and that had happened twice. We provided more or less a patches for some to integrate and tested all the stuff. I think two or three days later, Joey showed us and released the security, the first clama of security advisory. I think that the clama still is, because we, as a volatile team, didn't only have to deal with this. But we also have to deal with the maintainer, and that's the, frankly speaking, the most difficult part, because other teams had a contact with upstream, because basically, don't have these as something like CME ideas are useful. Yes. The second one was, well, it was now it's fixed, but when we first discussed clama file and volatile, they were all just the kind of ideas what can be included in the update. And I know for other packages, maintainers are often not too easy to work with. Of course, one can teach maintainers how to look better. So for example, slama file, it now works better then. Maintainers or upstream? Maintainers. I would say, well, of course, we have only one package right from the little series, but in that case, we were able to teach maintenance, but I can't imagine that our maintainers are as difficult to work with as a small clama file, and I know that they are absolutely as easy to work with as a maintainer clama file. So, yeah, all the exposed, but I can't imagine that the security team is even harder than the water quality. Because we have a lot of more packages, we only have one package, so if we need to take some time to teach them better, do it. Well, what could maybe be useful is to offer to maintainers help in preparing a security update so that it will be acceptable to the security team in one go. You mean something like that is a huge major element to us? Yes, something like that. Because for a lot of maintainers, they will not have done security updates before, and they might just be wondering, okay, what is acceptable, what's not acceptable, and if there are some people within the curating, who will have some experience with that, and they could, like, coach the maintainer, and then you would have more, then you would take some work away from the security team. Of course, that would only work for public security advice, basically, not for... Yeah, and even outside, because if you, for example, know that there are files, a person would do that, and then perhaps, you would have office updates with some non-public things. For example, a new house, it's got a security hole, it's closed, but it works. But it doesn't work at the start, it works later on in the process. One thing which might be also interesting is that with the testing security team, we have at least a good overview on which CVE items are currently open, and what needs to be tracked. I've been, I've done some work on directly, after that, conned together with Joey Nelson, Mika Enderson on testing security. It's fairly easy. You just go through the list of CVE numbers, and have a look if that package, which is mentioned there, is in Davian, and then try to track which versions are in Davian, which versions are affected. And then have a look if even the stable package is unstable, is affected. I hope that it's possible to make this the life of all VoIPa and all of us in the security team easier by more cooperation in the way of the security team. But that's something I think the most shows me to discuss with them. I think this will need time if the testing security team proves that they work on public security problems in testing, and stable the stable security team will accept people from that. So I think it's a question of time because testing security is two months old. It was announced yesterday or the day before yesterday. And the testing security team itself is a little bit older. I think Joyce started that in the ending of last year or something. Yeah, but what was for security was to be able to trust people because if you don't do it it's much more work to the when you are patched. So if you know it's patched rather than that with some glue so it's only comes with time. It's also a question of communication. A person that publishes a security problem with the security infrastructure in a web blog is someone that I don't know. It doesn't need to be kicked, but at least kicking in the ass, yes. Because there was Joyce with a security situation. It's some difficulty with FTP master and the archive because for some time technical side of testing security didn't work. And he couldn't do what he wanted to do. And then he had Venus Star which was more or less organized by him. And it was quite a strategy. And he's like one of two people who are doing work for security at the moment. But he has been overheld. Well, I can understand that he's not willing to just accept help from anyone. But thank you speaking. I think you'll realize it wasn't published in the web blog. I was very unhappy about that. I definitely agree on that. But on the other hand side it's a difference between what I say I like or it's good, I think to do. I can understand that he's very, very frustrated with some things. I can understand that FTP master is very convincing. I can understand both sides very, very well. But it doesn't help. And I would also consider this block as a life of help for me. This is what it actually was. An accessible one, so to speak. Yes. And he said, it's not my personal dialogue. It's not some definite announcement. Of what I know, that it's not an easy way because if I do something about the release management even if it's a personal agreement with the Magenfamilie, it will be held to the release team. And the same if you publish something about security, it will be a block anyway. But I can still understand that he's one of the system administrators and he has so many jobs that every personal remark of him is taken as official, deviant statement. But that's just not true. Anyone of people here can just go somewhere to fling and say, okay, this sucks. I hate it. The problem is that he does the personal blocks but he doesn't do the official statements from the security men and that's what's missing. Everyone want to know what the status of security support is if it's missing for a while that's not even a disaster. People running Debian in a professional way will often have the capability of for a short time doing their own security support if it's needed. But they would like an announcement okay, we have problems at the moment please track it yourself. On the other hand a lot of enterprise customers will have to ditch use an official announcement like we don't have security support for the time being as an excuse to ditch them in favor of one of the major vendors. Security doesn't help either if you're running Debian after two months you realize that you haven't had any upgrade for any of your systems then I would definitely go for another system. On the other hand it's a corporate environment where people like you more that's for all non very difficult roles that's for all non remote such roles more or less because it helps some with certain environments which is just a contradiction to a security update for one week would make problems. I think the customer market it's hard to say what will happen and different cases have different answers but I think security support is something important for our users and for ourselves and actually it's not something to say we need to sell Debian of course we need to I think it's important because the better thing is because selling is not the highest priority in Debian but we use the light things and I also want to use the light to the security and it sets the system we should focus on because that's one of our major planches Would you have an idea to ask Joey to tell to everybody who he trusts and he would trust to be a security helper or a security person that is at least ready for some period to be the person that is side to side working with him Well it would probably be possible but I don't believe there are any persons who have enough time to help the security team at the moment and to our trust so my proposal would be to add another second chapter to the security team F21 they are working they are working actually if they are working you can only send patches to the security team there is something else we have people in the security team the secretaries who are able to do good work but you can't publish directly so the next step would also be to convince Joey to make some of them full security team members but it's easy to say but it doesn't have to say it's here without people's joy once I want to say okay we can talk about the agency but we are not going to say it we won't help so what we should discuss here is how can we help on the outside and I think the basic thing there is to help maintain us and not help the security team when maintainers can't do the thing without security team well then they can prepare but here the security team is still involved if we have security secretaries sending patches that are not processed by the full security team members it might be faster if you don't need to send patches but I can put at least advice on this so baby I think the idea with security members is really a good idea the thing is for the reason why I entered that into the wiki I was very much frustrated about the whole stuff was so darn and how that version numbering was going on and so on it took us how long 3 weeks 3 weeks one of the other problems in that issue was that the security team was not really involved in the discussion there was a huge flame on the security but almost no input from it was only Joey sending the first email that's what I've seen from that and then users more or less never answered to any of the mails and that is bad I think we should try to at least if he starts such a discussion also be involved in that but I think we are in the wrong direction at the moment we can't discuss how to make Joey better we need 4 key how to get a choice given Joey what about taking any of the tasks that is not so important the key news what about taking the tasks from him so he would have more time he doesn't want to that's all the discussion like with most people in Brussels who want to be in control with some other stuff so who should take it from him it's a lot of work it's a lot of work he doesn't contribute regularly not anymore yeah I don't show a hand it to Tori Mai if he doesn't contribute now it doesn't make sense I think that's a dead end it's not what we are discussing I don't think that we can't discuss the choice in the sense of 4 eyes but it doesn't have to say what can we do because I think at least I don't know the exact version numbers but let's say having Mozilla 104 and stable and now uploading 106 to stable and saying since this 106 but we versioned 104 such one in my opinion a very bad idea because it's just confusing the users and there should be some guidelines we have guidelines for security support yeah we should have the next data point of view just to all of my stage which was uploads with new manager upstream version because upstream maintainer was paid on the SM didn't want this close to what it takes what was that about last thing and we don't know it goes with that silly setup we can't know if new upstream version comes out and says we didn't know in time so the solution is probably to accept that some upstream maintainers are not able or willing to provide patches and correct information of problems and we need a security team who is able and willing to upload new upstream versions the same this is popcorn material record who is going to decide which package is going to be allowed to have new upstream versions and which new upstream versions are going to break other packages and there's always a balance between a secure version when you want to break the rest of the package or are you going to update those packages as well and just there's a different option the one is when upstream send you a new upstream version that sticks to some important security stuff so we're basically the upstream system we're going to be nice and secure but we're going to be upstream version the other one is that we say oh yeah this is important we upload this new upstream version this is the second one we upload this new upstream version we label it as the last upstream version and there's also C possibilities one is obviously the worst one and that is to just mark it as an older version which actually is a new one because it's actually a completely different one I think that is what all the margin is going to be about since this byte has not a good idea to upload a new more silver version well it is to not do it for us but if you would break it then you have the upstream version number then you would also just keep the older version number you just it's not about just the version of the demo package is it's just an internal thing to change the source to say it's one of four and not one of six so fuck that was done through extensions we have in the archive because they check for the version number and they will all break but we still have problems because we had this problem at the beginning because the binary interface seems to have changed a bit we had crashes and tech faults and I don't know what so you have to remove it because we say we can't support it but you have a new version because how clearly was the fact documented that was one of four such one is actually one of six in the oldest version number so I didn't realize there was the changeback interface it was actually it wasn't an advisory advisory but that's the most important place to talk about so I said the changeback and the changeback so that's a good example of the problem we have here upstream is clearly not willing to issue security problems security information is kept but it's restricted to a few persons or upstream essentially and it takes like two months or so until real information is disclosed so we have to wait for two months until we know what has been fixed or we have to upload a new version or just remove it because we can't support it and the package I consider is important enough to just offer our rules and say let's upload a new version because it's a problem that I'd like to differ here I'm absolutely not in favor of allowing actually developers to force us to bend our policy I don't think that any package is that important and frankly I find it a very bad stance of the often with a downstream to not support to not support us in any way so I would vote for removing with a dummy cause because we cannot support it what about the latest kernel just the latest kernel the latest kernel has the same problem actually we have one problem it's always we all have a particular presence it's always nice to work as a shiny new feature our quality for example is very good that's just the case but it's of course a nice thing but actually more important thing about being a good man is to also keep to make sure that it doesn't break or if it breaks then you fix it then something it's still a team platform in yours it's a kernel after that's the same but that doesn't mean I'm happy about it but clearly the kernel we cannot remove the most common from that I'm not involved to vote for it it's a really nice thing for Edge I just saw you pointed out only upstream upstream developers have access to use back informations so in my eyes the obvious target should be that one of the deviant security gets access to this we again maximum access to the met he isn't active as a security team for years he's not active so that needs to be transferred to somebody else that needs to be transferred to somebody else yeah but that's that's the first disclosure it's not that he doesn't need information because maybe the deviant security might be the first in the balancing he is the first and he's not close enough he hasn't got the success because he's part of the deviant security but because upstream developers said okay he needs success and he and not someone else to get it and we probably it would be nice if we could get someone to have access to this and we are quite angry about deviant but it's not the back information is hidden because no sooner has something called Bonsai learning and it's one thing you can follow each change into the back so even if it's a backside of the barcode each code was changed into the back it's not a barcode information and it's even possible that it's a backside of the barcode information to work with the deviant security and the same stuff so you can get access to this out of Bonsai but most of the deviant security can't get access to it because there are a lot of changes and there are a lot of things Bonsai allows you to say okay I want to see all the changes but after we commit they change stuff all over the place and there's one security page and there's like 20 new features and it's one commit with one backhand which is important for us and you have to sort out without knowing what's back so it's like in your terminal in actual sense it's a great part yeah, nice can we go away from Bonsai it's a fucking security wall so we couldn't use what, the file in your group it's okay let's go back to our initial investment I think Bonsai is a very bad example but is there something else we can take up on this where it can be helped Bonsai is definitely a hard part in terms of a lot of easy security I'm sorry, can we have Bonsai to make it better I don't propose something which was already mentioned somewhere the testing security team has to go through all security problems anyway and a bit of the protection from stable security if they would share a secretary who's doing checks and checking what Persian and Debian is actually affected and it could mean that security for stable doesn't have to deal with upstream problems like we don't know what version is actually affected this part could be done by the testing security team and we relate over to the stable security team it's probably not much work which is safer but a few hours a week could probably improve the situation you said you said need someone who is trusted enough to access it because actually it doesn't want to access it you need to know again some of them there is a trust so again you need someone who is trusted by and doing all the good access to this and even if he sees the security issues in some stable packages you just can't go and test security team of testing A is something, you just look at the package because information can have a barrier for public and non-public security problems that non-public problems be tracked by security testing and non-stable security I think about 90% of all security problems are public or 10% are unbiased and it's I don't know how much information is gone down but of course it's here again all of those deep in the stolen meeting and other choices also in all of the work and there is some discussion between them there is some official security meeting being planned in Oldenburg so alongside the demolition and all the stuff that's going on and of course the expectation is from the meeting that the information sharing will be improved it's an obvious goal for all of them because we have all of them so we can stop discussing here but we probably need because we can't do anything to improve but it's easy of other that how we can handle it if there's something interesting one other part of the mental thing could be helping developers backboard patches if they don't know the language for instance we may also take it if they don't know the language of the package they are maintaining they should be kicked out of the project instantly I mean it's not the key it's one of the key qualities of a human that a container is able to fix its own pages no that's not true that's not what was said yesterday anyway here as well a lot of there being a key thing that is said within there being about developers is you don't need a program to be able to program to maintain a package it's useful if you can but it's not a requirement actually some people say that they don't agree they don't want to fix the problem these are the language but it needs how to make another people to fix the problem okay that's enough a container should be able to fix serious bugs in its own pages and not rely on other people to do it it's not acceptable what happens in upstream just goes that and we have you're off the package if the supporter meets for your work as a maintainer then you're off the package or request for help or request for help and the quality the QA team could be important to us for that help and backporting security fixes is probably a bit harder than fixing other types of problems because you often have to know the intricacies of C casting stuff like that where we have a lot of problems with the languages so it really requires often requires a higher level of knowledge to apply security patch or judge if there are minor versions between two versions if the patch can be applied safely or not and I think the quality assurance team where a lot of knowledge is present in different languages with different people could help by saying if you have a problem there what language is it he might be able to help you and asking for help is actually much better than rocking the entire package on the QA team sure but I'm still not happy about what they have to do I think that's sometimes really bad I'm not able to fix but for example I have a package who converges in the version in the version that's now in hand or up from double double pointers or something like that backporting such a patch is a major pain in the ass so I can understand that even someone who is experienced at coding C will fail at such level if he doesn't get any help at all or if someone says oh can please download my package I know that for example I see for example a Cambion is my opinion a good software engineer but I never approve my own package for testing because trust me it takes one minute but wouldn't it also be a good idea to use a volatile no why that's probably the answer volatile context probably always before the answer is no could you repeat the answer the reasoning first I mean it's such a pain in the ass to get a new kernel without breaking the API if it's such a pain in the ass to put a new non broken in stable without breaking the API without breaking all the all the add-ons, plugins and everything I mean if we are moving from a release from a release schema of releasing everything in a bunch and then putting it stable and then keeping it as stable for a very very long time and separating that into a core and then like satellite system that we can upgrade easily I'm proposing like to have another infrastructure to allow people to get upgrades easily without having to break the system but still everything will probably start I'm asking I'm saying about but I'm talking about security context when it comes to I might get the wrong answer from the volatile team's point of view on the side because we have this discussion very often of course on the first look it looks very wrong to do it I understand it I was first I was myself technically good I had a lot of discussion with other people but the basic problem is we have some we discussed about it before we have some serious problem with Mozilla it's up to me so on so by doing better this package is volatile volatile is not the answer for packages basically on my table if it's on my table it should be in volatile and the other thing what you said it might be a good idea to break some package out and make them separate more files and releases it's a good idea because volatile is like based on it it's something like back port or something like for example you must fill that in a net and publish it into a new version and if it's necessary for security packages you just publish it yourself for example I would help you to set these things up but that's not volatile that is if you say that Mozilla shouldn't be part of volatile based on that it's hard to maintain that it should not be stable no I'm busy I'm not using this as a I said if you say it's too low to not have it stable it's also important to have it volatile so then we'll help security app create some security team to have a different approach of a release like instead of a monolithic release to have a different approach the problem is that you're not solving the security problem of our technology but I think what Vezos is proposing is to reduce the number of packages covered by the security drastically that's not about the main archive let's say 2,000 packages maintained also by the security team and the rest of the 6 or 8 southern packages are unsupported are unsupported by the security team and we at that core I'm not too sure because the problem is that there are multiple metal packages for us some packages which we can't put out we can't say maybe release edge but part of port instead of edge it's something our users don't feel unhappy about well some mentioned the idea of creating something like Mozilla alien ad that sounded like to me like in general having two versions of Mozilla Firefox one which is kept being stable but not supported by the security team and one that may break but is supported regarding security very much security if we put something in stable what's basic idea is what's basic constraint is if we release it in stable then it should be supported it must be supported by security it's not possible not long as the release of packages is stable we can make something like if you want to say if you want to have Mozilla you need to add Mozilla to your source list for example but then we can't put it into edge anymore if it's so broken for example how can we learn from that Mozilla disaster and if we're going to include Mozilla into the next stable release how do you explain that to what's in packages anymore then it is about supporting the security but then for maintenance we should also think about how they should be secure to support the security what you could do to have Mozilla package maintainer and certainly one of the people to make the problems as small as possible but in this case you will now go out and then we have about 2000 packages where we support security for and the rest of the packages Mozilla maybe in network whatever maybe in network somewhere else how do you explain that to the maintainer we have party one of the rules we have is that if something goes into stable it should be possible to do security support for it and if a piece of software is not if it's not possible for a certain piece of software to do it then it doesn't meet the criteria for stable release it's a release criteria as I see it as possible to make it secure as a project so why did Mozilla release because this is because this problem has been ignored for quite a while still being ignored in fact because we have to upload a new version without doing the stuff we normally do with security objects that actually it's like packages in the future support the security just because you are anxious to fucking pick it like in Mozilla or because it's small and written in the complex way or what do you think about how it can be supported security or what no but it's say on this question what happens can we so we have 10 times of this we have other packages that are in the same state as Mozilla no no we can't talk about it can we do we have we shouldn't talk about Mozilla all the time if we have a general problem here we are talking about QA so to talk about that if it's just another problem we can just throw it into keymasters and remove them but it's not a major problem in our security infrastructure more and more packages are considered a very big bad problem security is supported by upstream for all the versions like KDE which is updated constantly and for KDE you get security updates the values so not in the form that we needed the KDE people are getting a very similar state to Mozilla and to Carnival when a project reaches a certain state, a certain size when they think, oh yeah, important they tend to they tend to put a break on their support for all the versions and with I've been told four days after the release of KDE 34 when I reported a ZEC fold in a KDE 33 application I upgraded to KDE 34 and they flat out refused in even pointing me towards the lift that fixed that particular bug three days after the release of KDE 34 but it's really a threat for you as well as your security updates yes, but this would have happened with KDE 33 and stable as well I think let me just summarize by the way, it's probably one of the Zuceran and Mozilla but in fact there are a lot of small packages the absence is also ridiculous, but for the small packages it happens only once in a package after 7 times a package is removed we can't just say it's removed the least kind from that end so since at least we have found large packages that are so bad because it's always on the move but I feel the first security update of open office if that will happen that's also a large package this seems like a big package so there are big packages that we need an aggressive security policy that for this package that we decide at least of 5 packages these need aggressive security policies that we can't know if you have a list of packages it's an absolute catapult of packages we can't remember if you have such hardship or if you want to do this it's an absolute complete package it's not only about sizes it's a complete package list bigger examples but it's also for the small ones I don't see a big difference except sizes small packages packages for the leaves of the packages are just if it's it's kernel, if it's Mozilla if it's KDE Mozilla KDE Mozilla KDE Mozilla KDE I would like to hear from people what they think about like setting up I mean the point of view of setting a set of packages that they have a strict rules of security updates than the rest of them I very much like the Debian everything that install is kind of supported whatever I get a BST or with Ubuntu the core is almost useless because I need too much stuff from universal portable never they call it and having no spend at all when those things is supported but in a way that the security restrictions for a new package on the archive would be a bit relaxing for example, Mozilla would have been able to enter it with a new version instead of like that protect it from a special setup you have to update all extensions with it and then the extension would be updated to you yeah but the extensions also would have comfort so you would have comfort so you would break comfort and then you would walk and DI includes KDE so you would break the installer I see the big picture but I saw some of the bad pictures that we have yeah but actually I think now we are at a very important point because Mozilla Mozilla is big but so good so dependency that you can't touch Mozilla without breaking a lot of stuff so I sense something a little bit worse for the QAT which is such a torture goal it's like okay, are we able to make this dependencies a bit weaker so we can update Mozilla and Mozilla extension is also better so we could achieve that of course it's not something we can achieve for the facade anymore but for Edge in my case for example and that would also help for releasing the LISC team because it would make it easier to make the LISC management if you notice that huge list of packages which basically needs to be stay together all the time I think that this approach depends on getting out of hand in some cases yeah, no one can KDE are currently going together we desktop org which is currently providing common interfaces and in the future we'll probably have really big release problems if we want to update one of the basic libraries because those desktops are completely have to go completely testing them from unstable so we have like 2,000 packages which have to go at one time because another example is where we had the new GIMP for start even at one point in unstable it dragged in gconf which is ridiculous, you don't need half of the known to run GIMP and the packages should make sure that you don't well, the problem is that the packages have to go upstream of single libraries that are created for... but the solution must be that upstream provides this for the bugs no, they don't we are not speaking about bugs bug fixes, yeah no, we are not speaking about bug fixes but about dependencies which link together KDE you have to install half of the known if you want to have one package but the only way what I would like to know do you note any any statement about how security will be handled by the DCC I'm not a part of any company of any way related to the DCC and I'm not on one of the DCC list so you have to ask someone else they don't know and from the public statements we can see FIAT has planned to put a common core into the given so like a hundred and fifty packages or so which are enough to get basic LSD compliance and after that it will be handled by the security team probably because they are native given packages and for the rest better but I think yeah I think the religion should on the side I hope can make dependency better so I can now make the next thought about first French guy I have things like that one two three