![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Martin Schulze <joey@finlandia.infodrom.north.de> To: Debian Development <debian-devel@lists.debian.org> Subject: Questions regarding the Security Secretary Position Date: Mon, 24 Sep 2001 09:53:26 +0200 Cc: Debian Security Discussions <debian-security@lists.debian.org> I'm awfully sorry for the delay, but I wasn't able to work on this earlier again. Here's a list of questions and answers that came up with the posting I made last week. Q: Is a requirement being a Debian developer? No. It is my understanding that it would be good to have "fresh blood" in the team. Working on security can cost a lot of time, thus it could even be helpful not being a Debian developer since that implies active package maintenance as well. However, similar knowledge is very helpful, and may be required when working on issues. Q: How much time is required to fill the position? That's something I don't know. When I started with Debian Security, it was easy to do, there were two architectures, about 1000 packages and not too many security incidents reported. This has changed. We're at some 5000 packages, often there are more than two security incidents reported per week which we'll have to investigate, and there are six released architectures, probably 12 for the next release. I can imagine that this job requires about 10-20 hours per week. However, it's possible that there are a couple of weeks where no work is to be done. One has to expect that this position requires a lot of time. Q: Are you open to finding a small (2-3 person) team to fill this role? Yes, I am open to this idea. This would be based on my practise of forming a team in order to make it less dependant of one person (see listmaster, debian-admin, security etc.). However, the more people are involved, the more coordination has to be done. On the other side, security is crucial and we should do anything that can improve the situation. Q: How will the person/team come up to speed? I can't parse the question. In my announcement I wrote several tasks that this person/team would have to work on. I forgot documentation thouth. Please see <http://lists.debian.org/debian-security-0109/msg00225.html> Q: What are the personal requirements? At least one of the secretary team needs to be able to code in C and understand Debian packaging as well as security incidents. It would be useless if the person won't understand how an exploit works. If more than one person is going to fill this position than a second person could specialize on tracking problems and documentation while the first person works on details, programming and fixing. A lot of spare time is required as well. Q: What is the method you will choose this person? The current Debian Security Team will discuss volunteers and appoint 1-3 persons. Regards, Joey -- No question is too silly to ask, but, of course, some are too silly to answer. -- Perl book