LTS and Security Team BoF
=========================

* A internal review of the first commits to the security-tracker for new
  LTS team members would be good.

* Security team requests help with keeping the list at 
  https://security-tracker.debian.org/tracker/status/unreported
  down. Got better during the last year for new packages.
  
* For temp issues request CVE (http://cve.mitre.org/cve/request_id.html).
  Mark status in the tracker to avoid duplication.
  Backlog: https://security-tracker.debian.org/tracker/data/fake-names

* BTS is the canonical place for communication about the bug
  - Version information there is not up-to-date and that is ok <- security
    tracker is canonical for that
    Should we skip our LTS "do you want to take care of this yourself"
    mails and rely on the BTS completely?
	
* Try to keep inter distro info up-to-date (link???)

* To track regressions after an upload track the BTS for one/two weeks after 
  a release. 
  
  Alternatively 
    - the stable report-bug could query for security
      regressions and puth the lists in cc.
    - query UDD (blend script does something like that, Andreas Tille
     wrote it, see
     https://anonscm.debian.org/cgit/blends/website.git/tree/webtools/bugs.py

* cacti has a autopkgtest that includes exploits test
  (test suite works with tweaks for older verions)

* bin/check-new-issues (command) in secure-testing helps with new issues.
  Some emacs integration for d{l,s}a-needed and data/CVE/list but that
  can be improved.

* there was/is a connection with the bts:  CVE usertag or tag. Details anyone?

* severity of bugs: early in the release -> RC, later depending on severity of CVE
  - in doubt start high

* license of CVE text is unclear -> Moritz rewrites from scratch
  - generic description of the issue instead of details of functions

* s.th. like proposed-updates (a staging repository) for security would be 
  great for stable and lts since it would do away with "please test ..." and 
  allows people with CI to test packages before they hit production. It all
  so makes it simple to point "known testers" of certain types of packages 
  to it.