Uploading to testing-security

From 4af072da37760a1ea331b03fb8c181d9da980e94 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Fri, 5 Oct 2007 21:35:05 +0000 Subject: start to update the website git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@6809 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- website/index.html | 235 ++++++++++++++++++------------------------------- website/uploading.html | 94 ++++++++++++++++++++ 2 files changed, 181 insertions(+), 148 deletions(-) create mode 100644 website/uploading.html (limited to 'website') diff --git a/website/index.html b/website/index.html index 09819260aa..e94860d339 100644 --- a/website/index.html +++ b/website/index.html @@ -39,172 +39,111 @@

The Debian testing security team is a group of Debian developers - and users who are working to improve the state of security in - Debian's testing branch. Lack of security support for testing has - long been one of the key problems to using testing, and we aim to - eventually provide full security support for testing. + and users who are working to keep Debian's testing branch in good + shape with respect to security. Since packages migrate to testing + from Debian's unstable branch, a secondary goal of the team is to + improve the state of security in unstable.

+ -

Activities

Security Tracker

- The team's first activity was to check all security holes since the - release of Debian 3.0, to ensure that all the holes are fixed in - sarge and to provide a baseline for future work. + The team is tracking new security holes on an ongoing basis, making sure + maintainers are informed of them and filing bug reports in the + Debian BTS. The result of this work is availably in the + Security Tracker web page. + This tracker contains information about all branches of Debian and is also + used by the stable security team.

- Now the team is tracking new holes on an ongoing basis, making sure - maintainers are informed of them and that there are bugs in the - Debian BTS, writing patches and doing NMUs as necessary, and - tracking the fixed packages and working with the Debian Release - Managers to make sure fixes reach testing quickly. Thanks to this - work we now have - a - web page, that tracks open security holes in testing and other - branches of Debian. -

Security support for testing

- The team is in the process of beginning full security support for - testing by providing security advisories and fixes built against - testing without the usual delays sometimes involved in getting a - security fix into testing. These will be announced on the - secure-testing-announce@lists.alioth.debian.org - mailing list, and will be available in the following apt - repository: -

-	 deb http://security.debian.org lenny/updates main contrib non-free
-	 deb-src http://security.debian.org lenny/updates main contrib non-free
-

- These are also available from this list.
+

The team is providing security support for Debian's testing branch by

Data sources

writing patches and doing NMUs to unstable as necessary

- Currently we're limiting ourselves to tracking security holes that - have been the subject of a Debian Security Advisory, or are in the - CVE database. - It's very helpful to us if bug reports and Debian changelog entries - include CVE numbers for security holes. If you don't have a CVE - number, we can help you get one. -

tracking the fixed packages and working with the Debian Release + Managers to make sure fixes reach testing quickly

- The team maintains a database (actually some files) that contain - our notes about all CVEs and DTSAs. This database is available - from subversion, - and may be checked out from - svn://svn.debian.org/secure-testing/. -

Uploads to the secure-testing repository

- To upload a package to the secure-testing repository, any Debian - developer may follow this checklist: -

Only upload changes that have already been made in - unstable and are blocked by reaching testing by some other - issues. This is both to keep things in sync once the - new version from unstable reaches testing, and to avoid - breaking secure-testing too badly with fixes that have not - been tested first in unstable.
If the orig.tar.gz is already on security.debian.org - (either in stable-security or in testing-security) - don't include it in the upload.
Only make uploads for issues that the testing security - team plans to issue a DTSA announcement for. - Contact the team first to avoid duplicate work.
Use a version number that is less than the version - number of the fix in unstable, but greater than the version - number of the fix in testing. For example, if the fix is in - a new upstream version 1.0-1 in unstable, upload version - 1.0-0.1lenny2 to secure-testing. If the fix is in version - 1.5-10 in unstable, use version 1.5-9lenny2 in - secure-testing.
Use "testing-security" as the distribution in the - changelog.
Build the package in a testing chroot using pbuilder - so that all the dependencies are ok. Be sure to build with - the -sa switch to include source, unless the source is - already in the secure-testing archive. -
Test the package.
Sign the package. Any Debian developer in the keyring - can do so.

Upload to security-master.debian.org. - Here is a dput.cf snippet for that upload queue: -

-		[secured-testing]
-		fqdn = security-master.debian.org
-		method = ftp
-		incoming = /pub/OpenSecurityUploadQueue/
-		login = anonymous
-

Once your fix is accepted, a mail will be sent to - the secure-testing-changes - list and, it will become available in this apt repository, - including builds for all other architectures: +

if this process is too slow, providing fixed packages built against testing + in the testing-security apt repository:

-		deb http://security.debian.org/ testing/updates main contrib non-free
-		deb-src http://security.debian.org/ testing/updates main contrib non-free
+		deb http://security.debian.org lenny/updates main contrib non-free
+		deb-src http://security.debian.org lenny/updates main contrib non-free

- Build logs are mailed to the team, and must be signed. Once everything is ok, a team member will issue a DTSA. -

+ +

Note that in order to take advantage of the security support for testing, + you must update your system on a regular basis.

+ +

Limitations

- To issue a DTSA, team members follow this checklist (note: this may change once newamber is fixed to use our templates): -

Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number -
Prepare the update and fill out the .adv template -
Make sure everything is ready. -
cd data/DTSA; ./dtsa -p ADVISORYNUMBER
check DTSA-n-1 and DTSA-n-1.html. Remove TODO line for - advisory from the list file
mv DTSA-n-1.html ../../website/DTSA/
cd ../../website; ../bin/updatehtmllist --output list.html ../data/DTSA/list
cd ../; svn add website/DTSA/DTSA-n-1.html; svn commit
cd data/DTSA; ./sndadvisory DTSA-n-1
Edit CVE/list and DTSA/list to list the version of the - package that is in the secure-testing archive as fixing the - holes. This is unfortunately currently necessary for the fix to - appear as a fix on the tracking page.

For several reasons, the security support for testing cannot be expected to + be of the same quality as for Debian's stable branch:

+ +

Updates for testing-security usually receive less testing than updates + for stable-security.

- Note that the above instructions are provisional until we get - everything set up. -

Updates for embargoed issues take longer because the testing security + team does not have access to embargoed information.
Testing is changing all the time which increases the likelyhood of problems + with the build infrastructure. Such problems can delay security updates in + testing.

+ +

Announcements

Members and contacting the team

Daily notifications about fixed security issues are sent to the + secure-testing-announce@lists.alioth.debian.org + mailing list.

+ +

Contacting the team

+ +

To contact the team, use

the + team mailing list at + secure-testing-team@lists.alioth.debian.org + (Please note that this is a public list, and as such, you should not send details of undisclosed + vulnerabilities to this address.)
IRC: Our irc channel is #debian-security on the OFTC network.

+ +

For issues related to the Debian security tracker, use the

security tracker mailing list

debian-security-tracker@lists.debian.org

+ -

- While some individual members may have sources of prior information - about security advisories (such as vendor-sec), the team as a whole - operates only on publicly available information. Any Debian - developers with an interest in participating are welcome to join - the team, and we also welcome others who have the skills and desire - to help us.

More information

+ +

Uploading to the testing-security repository
Helping the testing security team
There is a subversion repository + holding the data for the Debian + security tracker. It may be checked out from + svn://svn.debian.org/secure-testing/. There is also a + mailing list + commit messages.
Alioth + project page with a list of team members.
Mitre's CVE database

+ -

- The team can be contacted through its mailing list, - secure-testing-team@lists.alioth.debian.org. Please note that this is a public list, and as such, you should not send details of undisclosed vulnerabilities to this address. - Our irc channel is #debian-security on the OFTC network. - There is a second mailing list, - secure-testing-commits@lists.alioth.debian.org - that receives commit messages to our repository, new team members - are encouraged to join it. - The list - secure-testing-changes@lists.alioth.debian.org - receives automatic annoucements of fixed packages uploaded to our - repository. - An alioth - project page is also available. -

$Id$

diff --git a/website/uploading.html b/website/uploading.html new file mode 100644 index 0000000000..41cf304955 --- /dev/null +++ b/website/uploading.html @@ -0,0 +1,94 @@ + + + Uploading to testing-security + + + + +

+ + +

+ +

+
+ + + + + + + + + + + +

+	Debian testing security team	+
+	Debian testing security team	+ +

+ +

+ To upload a package to the secure-testing repository, any Debian + developer may follow this checklist: +

Only upload changes that have already been made in + unstable and are blocked by reaching testing by some other + issues. This is both to keep things in sync once the + new version from unstable reaches testing, and to avoid + breaking secure-testing too badly with fixes that have not + been tested first in unstable.
If the orig.tar.gz is already on security.debian.org + (either in stable-security or in testing-security) + don't include it in the upload. If in doubt, ask the team.
Contact the team first to avoid duplicate work.
Use a version number that is less than the version + number of the fix in unstable, but greater than the version + number of the fix in testing (including a possible +b1 for binNMUs). + For example, if the fix is in a new upstream version 1.0-1 in unstable, + upload version 1.0-1~lenny1 to testing-security. If the current version + in testing is 1.2-3 and the fix is backported to this version, upload + version 1.2-3+lenny1 to testing-security.
Use "testing-security" as the distribution in the + changelog.
Build the package in a testing chroot using pbuilder + so that all the dependencies are ok. Be sure to build with + the -sa switch to include source, unless the source is + already in the testing-security archive. +
Test the package. Diff the package against the version + in testing (if backporting fixes). Use debdiff on both + source and binary packages.
Sign the package. Any Debian developer in the keyring + can do so.
Upload to security-master.debian.org. + Here is a dput.cf snippet for that upload queue: +
```
+		[testing-security]
+		fqdn = security-master.debian.org
+		method = ftp
+		incoming = /pub/OpenSecurityUploadQueue/
+		login = anonymous
+		
```
+ Note that this is not the same queue as usually used for stable security. +

+ + + +

$Id: index.html 6493 2007-09-04 11:06:04Z nion $

+ +

+ + + -- cgit v1.2.3