1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
<html>
<head>
<title>Debian testing security team</title>
</head>
<h1>Goals</h1>
<p>
The Debian testing security team is a group of debian developers
and users who are working to improve the state of security in
Debian's testing branch. Lack of security support for testing has
long been one of the key problems to using testing, and we aim to
eventually provide full security support for testing.
</p>
<h1>Activities</h1>
<p>
The team's first activity was to check all security holes since the
release of Debian 3.0, to ensure that all the holes are fixed in
sarge and to provide a baseline for future work.
</p>
<p>
Now the team is tracking new holes on an ongoing basis, making sure
maintainers are informed of them and that there are bugs in the
Debian BTS, writing patches and doing NMUs as necessary, and
tracking the fixed packages and working with the Debian Release
Managers to make sure fixes reach testing quickly. Thanks to this
work we now have
<a href="http://newraff.debian.org/~joeyh/testing-security.html">a
web page</a>, that tracks open security holes in testing.
</p>
<h1>Future plans</h1>
<p>
After sarge is released and once the autobuilder infrastructure is
in place, we hope to begin issuing security advisories for holes in
testing, and providing fixed packages immediatly on
security.debian.org or a similar site, without the regular delay
involved in getting a fixed package into testing.
</p>
<h1>Data sources</h1>
<p>
Currently we're limiting ourselves to tracking security holes that
have been the subject of a Debian Security Advisory, or are in the
<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
It's very helpful to us if bug reports and Debian changelog entries
include CVE numbers for security holes. If you don't have a CVE
number, we can help you get one.
</p>
<p>
The team maintains a database (actually some files) that contain
our notes about all CVEs, CANs, and DSAs. This database is available
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
and may be checked out from
<tt>svn://svn.debian.org/secure-testing/</tt>.
</p>
<h1>Members and contacting the team</h1>
<p>
While some individual members may have sources of prior information
about security advisories (such as vendor-sec), the team as a whole
operates only on publically available information. Any Debian
developers with an interest in participating are welcome to join
the team, and we also welcome others who have the skills and desire
to help us.
</p>
<p>
The team can be contacted through its mailing list,
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>.
There is a second mailing list,
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
that receives commit messages to our repository. An
<a href="http://alioth.debian.org/projects/secure-testing/">alioth
project page</a> is also available.
</p>
<hr>
$Id$
</html>
|