Security tracking improvements

Registered by Kees Cook

Discuss how to improve the USN announcements and the CVE tracker

Blueprint information

Status:
Complete
Approver:
Kees Cook
Priority:
Medium
Drafter:
Jamie Strandboge
Direction:
Approved
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for oneiric
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-11.10
Started by
Jamie Strandboge
Completed by
Jamie Strandboge

Related branches

Sprints

Whiteboard

Work items:
[jdstrand] write up example text for issue summaries for example classes of software/users: DONE
[jdstrand] write wiki page to link from update instructions (desktop and server sections): DONE
[kees] implement database for overrides: POSTPONED

Etherpad notes (http://summit.ubuntu.com/uds-o/meeting/security-o-tracking/):
Discuss how to improve the USN announcements and the CVE tracker
http://www.ubuntu.com/usn/
 * --issue-summary templates
  * example: http://www.ubuntu.com/usn/usn-1111-1/
   * 1125-1: good
   * 1129-1: bad
   * "Multiple security issues could cause your computer to crash."
   * [ACTION]: jdstrand to write up example text for issue summaries for these examples of 'classes' of software/users: kernel, apache, firefox/tbird, tiff, openssl, openjdk, python, oem glitches, X
  * usn-website:
  * --source-description overrides (eg, suggest what is in packaging but add an override if it exists. eg, kernel, kdenetwork)
   * 3 problems
    * who is the target audience - description is for someone unfamiliar with the package name. Should use the html title for the software description
    * should not have multiple entries for the same software (eg, firefox)
    * <pkgname> - description is weird
    * text from changes is poor, so we should modify it and cache it somewhere
  * database
   * source pkg
   * upstream proper name
   * human software description
   * leverage kees' scripts
 * update instructions
  * [ACTION] jdstrand write wiki page to link from update instructions
   * desktop session and server section
* Can we add a bug for backports that don't get an update
 * short answer: no
 * long answer: there is enough information for people to automate reporting
* Policy for commenting in bugs in -proposed
 * comment in the bug
 * Tool ideas
  * "what are the debs for a given USN?" (to replace the file list, md5sums, etc)

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.