Web lists-archives.com

Report from the Debian Security Team Sprint in Hamburg (May 2018)




Security Team sprint report
===========================

The Security Team met in Hamburg between May 16 and May 20 2018 as part
of the Mini-DebConf Hamburg for work and discussion about ongoing work
plans, process review, and potential issues.

The participants were Alessandro Ghedini (ghedo), Moritz Muehlenhoff
(jmm), Salvatore Bonaccorso (carnil), Sébastien Delafond (seb), and
Yves-Alexis Perez (corsac).

We'd like to thank the Mini-DebConf organizers for providing the
facilities for our sprint, as well as all donors to the Debian project
who helped to cover a large part of our expenses.

DSA workflow
------------

We reached a consensus on implementing a wrapper to help with the
(currently) cumbersome DSA release process. Further automation via a
git-based trigger in a dedicated repository could be the next step.

Automated patch management
--------------------------

Based on Luciano Bello's talk[0] during DebConf 17, an additional pass
was made to check again on the status for this project.

[0] https://debconf17.debconf.org/talks/166/

Autopkgtest for security.debian.org
------------------------------------

We are interested in having this service provided for security uploads,
in a manner compatible with embargoed packages. Several discussions will
be initiated with the relevant parties.

Better access control
---------------------

We're looking into options to use 2FA to secure both SSH logins to
security-master and access to salsa.

New home for documentation
--------------------------

We decided to work toward a Gitlab pages-based solutions as the main
entrypoint to all security-related documentation (developer reference
section, FAQ, TODO list, etc).

Infrastructure improvements
---------------------------

We followed up on the staging repository project, and also discussed a
delegated DSA release process.

Kernel hardening
----------------

Yves-Alexis performed an extensive audit about recent evolutions
regarding kernel security.

Misc
----

We had several discussions about updates to 32-bit x86 kernels, go-based
packages (will not be covered by security support for buster unless
tooling for rebuilds improves), Firefox ESR (Rust/Cargo toolchain has
been updated and is ready for ESR 60), and fast-moving packages (like
gitlab, elasticsearch, wordpress, etc).