So I recently announced my intention to rejoin the Debian project, having been a member between 2002 & 2011 (inclusive).
In the past I resigned mostly due to lack of time, and what has changed is that these days I have more free time - primarily because my wife works in accident & emergency and has "funny shifts". This means we spend many days and evenings together, then she might work 8pm-8am for three nights in a row, which then becomes Steve-time, and can involve lots of time browsing reddit, coding obsessively, and watching bad TV (currently watching "Lost Girl". Shades of Buffy/Blood Ties/similar. Not bad, but not great.)
My NM-progress can be tracked here, and once accepted I have a plan for my activities:
- I will minimally audit every single package running upon any of my personal systems.
- I will audit as many of the ITP-packages I can manage.
- I may, or may not, actually package software.
I believe this will be useful, even though there will be limits - I've no patience for PHP and will just ignore it, along with its ecosystem, for example.
As progress today I reported #754899 / CVE-2014-4978 against Rawstudio, and discussed some issues with ITP: tiptop (the program seems semi-expected to be installed setuid(0), but if it is then it will allow arbitrary files to be truncated/overwritten via "tiptop -W /path/to/file"
(ObRandom still waiting for a CVE identifier for #749846/TS-2867..)
And now sleep.
Tags: audit, debian, security 4 comments
http://wiki.debian.org/PaulWise
Some ideas:
Install the how-can-i-help and debsecan packages. Run them daily and fix any issues that come up.
Work on hardening Debian:
https://wiki.debian.org/Hardening/Goals
Get ubuntu-security-tools into shape for inclusion in Debian.
https://launchpad.net/ubuntu-security-tools
Follow the debian-mentors list and do audits on new software.