How can the Ubuntu Security Team help Debian better? (Security)

Registered by Jamie Strandboge

Ubuntu and Debian already collaborate on important security issues. For smaller issues, patches are often sent back to Debian, and vice versa. This session will discuss ways to make it easier for Debian developers to get information (ie CVE triage) and patches, define the processes for collaboration, and formalize how the Ubuntu Security team interacts with Debian's security processes.

Blueprint information

Robbie Williamson
Jamie Strandboge
Jamie Strandboge
Series goal:
Accepted for natty
Milestone target:
milestone icon ubuntu-11.04
Started by
Jamie Strandboge
Completed by
Jamie Strandboge

Related branches



2009/11/16: Will create a wiki page detailing how Ubuntu can contribute to Debian and vice versa. This will be linked from Ubuntu for Debian Developers, etc. It will discuss where our information is so Debian can use our work. Where it can be automated, the Ubuntu security team will push to and pull from Debian.

Work items:
create wiki page: DONE

Lucid work items:
shop it to Debian: WONTIMPLEMENT
update wiki with Debian feedback: WONTIMPLEMENT

Gobby notes:

Goal: define processes Ubuntu security team can use when we publish security updates that can better help Debian.

 * Ubuntu pulls from, among other things, the Debian security CVE tree when Ubuntu performs triage.
 * "Not for us" entries are synced back to Debian.
 * Debian rejected the idea of Ubuntu automatically adding package triaged entries
  * We could document how to run the script that does this, though

 * Ubuntu will sync from Debian stable DSA packages to Ubuntu when Ubuntu's version is the same:
 * Next step is manual inspection of non-matching versions with matching code
  * "I would rather break it for a while than leave it vulnerable."

 * Ubuntu generally sends security patches for current Ubuntu devel to current Debian devel

 * "Ubuntu Security for Debian Security" wiki page
   - Good ideas for scripts, links, policies, LP, -changes. Document that CVE stuff in LP is not used as much by our team (or at least describe how we use it)

 * Encourage (not require) that new security bugs in Ubuntu get linked to a Debian bug

 * Open bug about CVE associations via LP comments (almost always wrong, especially via changelog text)


Work Items