How can the Ubuntu Security Team help Debian better? (Security)

2009/11/16: Will create a wiki page detailing how Ubuntu can contribute to Debian and vice versa. This will be linked from Ubuntu for Debian Developers, etc. It will discuss where our information is so Debian can use our work. Where it can be automated, the Ubuntu security team will push to and pull from Debian.

Work items:
create wiki page: DONE

Lucid work items:
shop it to Debian: WONTIMPLEMENT
update wiki with Debian feedback: WONTIMPLEMENT

Gobby notes:

Goal: define processes Ubuntu security team can use when we publish security updates that can better help Debian.

 * Ubuntu pulls from, among other things, the Debian security CVE tree when Ubuntu performs triage.
 * "Not for us" entries are synced back to Debian.
 * Debian rejected the idea of Ubuntu automatically adding package triaged entries
  * We could document how to run the script that does this, though

 * Ubuntu will sync from Debian stable DSA packages to Ubuntu when Ubuntu's version is the same:
  * http://people.ubuntu.com/~stefanlsd/synclist.html
 * Next step is manual inspection of non-matching versions with matching code
  * "I would rather break it for a while than leave it vulnerable."

 * Ubuntu generally sends security patches for current Ubuntu devel to current Debian devel

 * "Ubuntu Security for Debian Security" wiki page
   - Good ideas for scripts, links, policies, LP, -changes. Document that CVE stuff in LP is not used as much by our team (or at least describe how we use it)

 * Encourage (not require) that new security bugs in Ubuntu get linked to a Debian bug

 * Open bug about CVE associations via LP comments (almost always wrong, especially via changelog text)