1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso8859-1">
<title>Debian testing security team</title>
<link type="text/css" rel="stylesheet" href="style.css">
<link rel="shortcut icon" href="http://www.debian.org/favicon.ico">
</head>
<body>
<div align="center">
<a href="http://www.debian.org/">
<img src="http://www.debian.org/logos/openlogo-nd-50.png" border="0" hspace="0" vspace="0" alt=""></a>
<a href="http://www.debian.org/">
<img src="http://www.debian.org/Pics/debian.png" border="0" hspace="0" vspace="0" alt="Debian Project"></a>
</div>
<br />
<table class="reddy" width="100%">
<tr>
<td class="reddy">
<img src="http://www.debian.org/Pics/red-upperleft.png" align="left" border="0" hspace="0" vspace="0"
alt="" width="15" height="16"></td>
<td rowspan="2" class="reddy">Debian testing security team</td>
<td class="reddy">
<img src="http://www.debian.org/Pics/red-upperright.png" align="right" border="0" hspace="0" vspace="0"
alt="" width="16" height="16"></td>
</tr>
<tr>
<td class="reddy">
<img src="http://www.debian.org/Pics/red-lowerleft.png" align="left" border="0" hspace="0" vspace="0"
alt="" width="16" height="16"></td>
<td class="reddy">
<img src="http://www.debian.org/Pics/red-lowerright.png" align="right" border="0" hspace="0" vspace="0"
alt="" width="15" height="16"></td>
</tr>
</table>
<h2>Goals</h2>
<p>
The Debian testing security team is a group of debian developers
and users who are working to improve the state of security in
Debian's testing branch. Lack of security support for testing has
long been one of the key problems to using testing, and we aim to
eventually provide full security support for testing.
</p>
<h2>Activities</h2>
<p>
The team's first activity was to check all security holes since the
release of Debian 3.0, to ensure that all the holes are fixed in
sarge and to provide a baseline for future work.
</p>
<p>
Now the team is tracking new holes on an ongoing basis, making sure
maintainers are informed of them and that there are bugs in the
Debian BTS, writing patches and doing NMUs as necessary, and
tracking the fixed packages and working with the Debian Release
Managers to make sure fixes reach testing quickly. Thanks to this
work we now have
<a href="http://security-tracker.debian.net/">a
web page</a>, that tracks open security holes in testing and other
branches of Debian.
</p>
<p>
The team is in the process of beginning full security support for
testing by providing security advisories and fixes built against
testing without the usual delays sometimes involved in getting a
security fix into testing. These will be announced on the
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a>
mailing list, and will be available in the following apt
repository:
<pre>
deb http://security.debian.org lenny/updates main contrib non-free
deb-src http://security.debian.org lenny/updates main contrib non-free
</pre>
These are also available from this <a href='list.html'>list</a>.<br>
<h2>Data sources</h2>
<p>
Currently we're limiting ourselves to tracking security holes that
have been the subject of a Debian Security Advisory, or are in the
<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
It's very helpful to us if bug reports and Debian changelog entries
include CVE numbers for security holes. If you don't have a CVE
number, we can help you get one.
</p>
<p>
The team maintains a database (actually some files) that contain
our notes about all CVEs and DSAs. This database is available
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
and may be checked out from
<tt>svn://svn.debian.org/secure-testing/</tt>.
</p>
<h2>Uploads to the secure-testing repository</h2>
<p>
To upload a package to the secure-testing repository, any Debian
developer may follow this checklist:
<ol>
<li>Only upload changes that have already been made in
unstable and are blocked by reaching testing by some other
issues. This is both to keep things in sync once the
new version from unstable reaches testing, and to avoid
breaking secure-testing too badly with fixes that have not
been tested first in unstable.</li>
<li>If the orig.tar.gz is already on security.debian.org
(either in stable-security or in testing-security)
don't include it in the upload.</li>
<li>Only make uploads for issues that the testing security
team plans to issue a DTSA announcement for.
Contact the team first to avoid duplicate work.</li>
<li>Use a version number that is less than the version
number of the fix in unstable, but greater than the version
number of the fix in testing. For example, if the fix is in
a new upstream version 1.0-1 in unstable, upload version
1.0-0.1lenny2 to secure-testing. If the fix is in version
1.5-10 in unstable, use version 1.5-9lenny2 in
secure-testing.</li>
<li>Use "testing-security" as the distribution in the
changelog.</li>
<li>Build the package in a testing chroot using pbuilder
so that all the dependencies are ok. Be sure to build with
the -sa switch to include source, unless the source is
already in the secure-testing archive.
</li>
<li>Test the package.</li>
<li>Sign the package. Any Debian developer in the keyring
can do so.</li>
<li>Upload to <tt>security-master.debian.org</tt>.
Here is a dput.cf snippet for that upload queue:
<pre>
[secured-testing]
fqdn = security-master.debian.org
method = ftp
incoming = /pub/OpenSecurityUploadQueue/
login = anonymous
</pre>
</li>
<li>Once your fix is accepted, a mail will be sent to
the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a>
list and, it will become available in this apt repository,
including builds for all other architectures:
<pre>
deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free
</pre>
Build logs are mailed to the team, and must be signed. Once everything is ok, a team member will issue a DTSA.
</li>
</ol>
<p>
To issue a DTSA, team members follow this checklist (note: this may change once newamber is fixed to use our templates):
<ol>
<li>Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number
<li>Prepare the update and fill out the .adv template
<li>Make sure everything is ready.
<li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li>
<li>check DTSA-n-1 and DTSA-n-1.html. Remove TODO line for
advisory from the list file</li>
<li>mv DTSA-n-1.html ../../website/DTSA/</li>
<li>cd ../../website; ../bin/updatehtmllist --output list.html ../data/DTSA/list</li>
<li>cd ../; svn add website/DTSA/DTSA-n-1.html; svn commit</li>
<li>cd data/DTSA; ./sndadvisory DTSA-n-1</li>
<li>Edit CVE/list and DSA/list to list the version of the
package that is in the secure-testing archive as fixing the
holes. This is unfortunatly currently necessary for the fix to
appear as a fix on the tracking page.</li>
</ol>
<p>
Note that the above instructions are provisional until we get
everything set up.
</p>
<h2>Members and contacting the team</h2>
<p>
While some individual members may have sources of prior information
about security advisories (such as vendor-sec), the team as a whole
operates only on publically available information. Any Debian
developers with an interest in participating are welcome to join
the team, and we also welcome others who have the skills and desire
to help us.
</p>
<p>
The team can be contacted through its mailing list,
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>. Please note that this is a public list, and as such, you should not send details of undisclosed vulnerabilities to this address.
Our irc channel is #debian-security on the OFTC network.
There is a second mailing list,
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
that receives commit messages to our repository, new team members
are encouraged to join it.
The list
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a>
receives automatic annoucements of fixed packages uploaded to our
repository.
An <a href="http://alioth.debian.org/projects/secure-testing/">alioth
project page</a> is also available.
</p>
<hr><p>$Id$</p>
<a href="http://validator.w3.org/check?uri=referer">
<img border="0" src="http://www.w3.org/Icons/valid-html401" alt="Valid HTML 4.01!" height="31" width="88"></a>
<a href="http://jigsaw.w3.org/css-validator/check/referer">
<img border="0" src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!"
height="31" width="88"></a>
</body></html>
|