Helping testing security

	Debian testing security team
	Debian testing security team

As non-Debian Developer

Sure you can also help improving Debian's security in testing/unstable without being an official developer.

Work on the security tracker, request to get added to the secure-testing group an alioth since we use subversion located on alioth to manipulate the tracker data. Make sure to read our narrative introduction if you start with this.
Track bugs reported to the Debian BTS for security flaws and help on fixing them and getting a CVE id for it if none exists yet (please contact the team for this).
Report vulnerabilities for software Debian includes in a package to the Debian BTS. Please use the tag security and include the CVE id there is already one available.

There are a few things to keep in mind as a maintainer to make the work of the testing-security team a bit easier.

Watch out for security relevant bugs reported in your packages and react fast on them. Contact the team if you need assistance.
Make descriptive, meaningful changelog entries. This means to always include CVE ids in the package changelog for bugs that have one and to mention that this is a security upload.
Contact the team if you fix bugs which are not reported to the BTS but have a CVE id so we can mark the version as fixed in the security tracker.
Upload your package to the testing-security repository if the migration from unstable would take too long for some reason.
The upload should have urgency=high to ensure a fast migration to testing.

As a developer you can do basically the same work as described above for non-Debian developers except a few things

Help on doing NMUs to unstable for bugs reported to the BTS with security impact. Make it obvious that this an upload by the testing security team, use descriptive changelog entries and mention the CVE ids for the bugs your are fixing.

$Id: helping.html 6493 2007-09-04 11:06:04Z nion $