diff options
author | Steffen Joeris <white@debian.org> | 2008-06-03 10:24:56 +0000 |
---|---|---|
committer | Steffen Joeris <white@debian.org> | 2008-06-03 10:24:56 +0000 |
commit | 5373036994af6af02d8e3adaf2e12e8b65fbc637 (patch) | |
tree | 8de4653f2d630726b9c8e310b438f32aed985b60 /doc | |
parent | b6867ca8bb3702d5965326a9cb9faa37630d81e8 (diff) |
Start new Bits from announcement email
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@8962 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'doc')
-rw-r--r-- | doc/bits_2008_06_x | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/doc/bits_2008_06_x b/doc/bits_2008_06_x new file mode 100644 index 0000000000..2e7362c4e5 --- /dev/null +++ b/doc/bits_2008_06_x @@ -0,0 +1,125 @@ +Hi fellow developers, + +it's been some time since our last email. +Much happened in regard to security support of Debian's testing distribution. + + +Level of security support for the testing distribution: +------------------------------------------------------- + +The Debian Testing Security team provides almost provides full security +support for the testing distribution. At the time of the last email, two +blockers for full security support were present. We are happy to announce +that only one remains. The Debian Testing Security Team is now able to +process embargoed issues (read more about that below). +Therefore, the only remaining blocker for full security support is the kernel. +We are talking to the kernel security team about providing testing-security +support, but at the moment this task lacks manpower. If you are willing to +work on this, please feel free to contact us. Otherwise, we recommend to use +the stable kernel or if that is not an option, the unstable kernel in regard +to security. + + +Security status of the current testing distribution (lenny): +------------------------------------------------------------ + +With some pride we can say that testing was never in such good shape before +in regards to security. The tracker is reflecting known security issues in +the testing distribution(0). The new announcement emails provide a notification +for users, whenever a new security fix reaches testing, whether through +migration from unstable or DTSA for testing-security. Also fewer packages are +getting removed from testing, because of security issues. + +In order to reach a wider audience with security updates for testing, a new mailinglist +was created, called debian-testing-security-announce@lists.debian.org +We highly recommend that every user, who runs Debian testing and is concerned +about security subscribed to the debian-testing-security announcement list(1). + + +Security status of the next testing distribution (lenny+1): +----------------------------------------------------------- + +After the release of lenny, we expect to continue with the normal +testing-security support without interruptions. However, this depends +on our buildds and the ability to release DTSAs. We hope that the +proper buildd network for the next testing distribution is in place +shortly after lenny becomes stable. The announcement emails will +continue as usual. + + +Embargoed issues and access to wider security information: +--------------------------------------------------------- + +Coming soon ... :) + + +Freeze of lenny coming up: +-------------------------- + +With the lenny release approaching, the Debian release team will at some stage +freeze the testing archive. This means it is even more important to stay in +close contact with the Debian Testing Security Team to coordinate security +updates for the testing distribution. If one of your packages is affected by +an unembargoed security issue, please contact us through the public list of +the team(2) and fix the issue in unstable with high urgency. Please send as +many information as possible, including patches, ways to reproduce the issue +and further descriptions. If we ask you to prepare a DTSA, please follow the +instructions on the testing-security webpage(3) and go ahead with the upload. +If your package is affected by an embargoed issue, email the private list(4) +and if we should ask you to upload a DTSA, use the embargoed upload queue +(which is the same than for stable/oldstable). + + +Handling of security issues in the unstable distribution: +--------------------------------------------------------- + +First of all, unstable does not have official security support. The illusion that +the Debian Testing Security Team also officially supports unstable is not true. +Security issues in unstable, especially when the package is not in testing, are +not regarded as high urgency and only dealt with, when there is enough spare time. +However, it is true that we let most of our security updates migrate through +unstable. For this purpose, we urge every maintainer to upload their security +fixes with high urgency and mention the CVE ids (if given) in their changelogs. +Because we let fixes migrate, it often happens that we NMU packages. An up to date +list of NMUs done by the security team can be found in the svn(5). These NMUs +are done as the need arises and do not allways follow the given NMU rules, because +security updates are treated with higher urgency. If you happen to get a bug +reported against one of your packages, please speak up, but if a working patch is +already reported and not disputed, consider uploading soon. + + +Call for new members: +--------------------- + +The team is still looking for new members. If you are interested in joining the +Debian Testing Security Team, please speak up and either write to the public +mailing list(6) or approach us under on the internal mailing list(6). Note that +you do not have to be a DD for all tasks. Your work would include to keep the +security tracker(8) up to date, report bugs about new unembargoed issues to the +BTS, give advice to maintainers and track the bugs, write and/or review patches, +propose NMUs and take care of DTSAs. If you are interested, but unsure that you +can cope with all this, we offer some level of mentoring for new members, where +we work together on some issues as some sort of introduction. You should also +be on IRC as most of our coordination happens there. + + +Yours, +Testing Security Team + +(0): http://security-tracker.debian.net/tracker/status/release/testing + +(1): http://lists.debian.org/debian-testing-security-announce + +(2): secure-testing-team@lists.alioth.debian.org + +(3): http://testing-security.debian.net/uploading.html + +(4): team@security.debian.org + +(5): http://svn.debian.org/wsvn/secure-testing/data/NMU/list?op=file&rev=0&sc=0 + +(6): secure-testing-team@lists.alioth.debian.org + +(7): team@testing-security.debian.net + +(8): http://security-tracker.debian.net/tracker/ |