Security Team Roadmap work for Lucid

Registered by Marc Deslauriers

This is a blueprint for the catch-all security discussion for Lucid. Topics to cover may include things from

Blueprint information

Robbie Williamson
Marc Deslauriers
Marc Deslauriers
Series goal:
Accepted for lucid
Milestone target:
Started by
Kees Cook
Completed by
Kees Cook

Related branches



Work items:
[jdstrand] create blueprint for security-lucid-catchall-essential: DONE
[jdstrand] create blueprint for security-lucid-catchall-high: DONE
[jdstrand] create blueprint for security-lucid-catchall-medium: DONE
[jdstrand] create blueprint for security-lucid-catchall-low: DONE

Gobby notes (for catch-all):

setuid: onging, mostly complete

apparmor profiles:
 - existing:
 - postgresql -- ask pitti, in early if for lucid
 - ongoing with dovecot -- close, needs some work - for lucid
 - pam_apparmor needs some work (for map users/application that use pam to profiles) - for lucid
 - firefox updates (Kubuntu) - for lucid
 - upstartify apparmor - for lucid
 - dnsmasq -- doing better - probably not for lucid
 - userspace tools - for lucid

PIE -- evince and firefox
 - show no performance regressions
 - identify test cases
 - this can be used to move forward to show that it doesn't really slow things done
 - mysql -- amd64 specific problem with one test case on 5.0
 - pie and gdb -- improved, upstream reluctant to push upstream due to outstanding patch. Debian won't take patches cause upstream won't. therefore Debian won't do PIE in applications cause too hard to debug

ecrypted Private - not for lucid (translation issue not solved)

fscaps - push through Debian, tar missing extended attributes support

block execution of things lacking execute bit - kees to add for TechBoard

fix remaining executable stacks - one left (i386/mono) - debugger broke - upstream issue. Won't Fix (not for lucid)
 - partner
   - give list to Brian (iamfuzz) and he can talk to vendors
   - get a list of distros a vendor supports. perhaps can see if we can ask to adjust compiler flags if all distros share a particular set of compiler flags. coordinate with other distros

 * provide an early notification of EOL

Gobby notes (for roundtable):

Welcome to the Security roundtable

clamav 0.95 from -backports should go to -security by February at the latest (it's in -backports, but all the testing from wiki has been performed)

latest Ubuntu doesn't work with Cisco VPNs that require tcp tunneling (vpnc doesn't seem to support tunneling). This seems to be a kernel issue (ie: the wrapper around the binary module doesn't compile on recent kernels...)

In the MOTU membership process, have one of the questions ask be "Have you created a security update? why not?". Also, make it known this is a good way to get experience

Community USNs-- filtered list of changelogs now that -security shows up on -changes mailing lists. Create an automated announcement that constructs it from various places

Possibly, XS-USN in the source_changes. Talk to Debian about maybe a common field for that


Work Items

This blueprint contains Public information 
Everyone can see this information.