secure-testing/website/index.html

<html>
        <head>
        <title>Debian testing security team</title>
        </head>

        <h1>Goals</h1>
        
        <p>
        The Debian testing security team is a group of debian developers
        and users who are working to improve the state of security in
        Debian's testing branch. Lack of security support for testing has
        long been one of the key problems to using testing, and we aim to
        eventually provide full security support for testing.
        </p>

        <h1>Activities</h1>
        
        <p>
        The team's first activity was to check all security holes since the
        release of Debian 3.0, to ensure that all the holes are fixed in
        sarge and to provide a baseline for future work.
        </p>
        
        <p>
        Now the team is tracking new holes on an ongoing basis, making sure
        maintainers are informed of them and that there are bugs in the
        Debian BTS, writing patches and doing NMUs as necessary, and
        tracking the fixed packages and working with the Debian Release
        Managers to make sure fixes reach testing quickly. Thanks to this
        work we now have
        <a href="http://spohr.debian.org/~joeyh/testing-security.html">a
        web page</a>, that tracks open security holes in testing.
        </p>

        <h1>Future plans</h1>

        <p>
        After sarge is released and once the autobuilder infrastructure is
        in place, we hope to begin issuing security advisories for holes in
        testing, and providing fixed packages immediatly on
        security.debian.org or a similar site, without the regular delay
        involved in getting a fixed package into testing.
        </p>
        
        <h1>Data sources</h1>

        <p>
        Currently we're limiting ourselves to tracking security holes that
        have been the subject of a Debian Security Advisory, or are in the
        <a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
        It's very helpful to us if bug reports and Debian changelog entries
        include CVE numbers for security holes. If you don't have a CVE
        number, we can help you get one.
        </p>

        <p>
        The team maintains a database (actually some files) that contain
        our notes about all CVEs, CANs, and DSAs. This database is available
        <a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
        and may be checked out from
        <tt>svn://svn.debian.org/secure-testing/</tt>.
        </p>
        
        <h1>Members and contacting the team</h1>
        
        <p>
        While some individual members may have sources of prior information
        about security advisories (such as vendor-sec), the team as a whole
        operates only on publically available information. Any Debian
        developers with an interest in participating are welcome to join
        the team, and we also welcome others who have the skills and desire
        to help us.
        </p>

        <p>
        The team can be contacted through its mailing list,
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>.
        There is a second mailing list, 
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
        that receives commit messages to our repository. An 
        <a href="http://alioth.debian.org/projects/secure-testing/">alioth
        project page</a> is also available.
        </p>

        <hr>

        $Id$
        
</html>
1	joeyh	381	<html>
2			<head>
3			<title>Debian testing security team</title>
4			</head>
5
6			<h1>Goals</h1>
7
8			<p>
9			The Debian testing security team is a group of debian developers
10			and users who are working to improve the state of security in
11			Debian's testing branch. Lack of security support for testing has
12			long been one of the key problems to using testing, and we aim to
13			eventually provide full security support for testing.
14			</p>
15
16			<h1>Activities</h1>
17
18			<p>
19			The team's first activity was to check all security holes since the
20			release of Debian 3.0, to ensure that all the holes are fixed in
21			sarge and to provide a baseline for future work.
22			</p>
23
24			<p>
25			Now the team is tracking new holes on an ongoing basis, making sure
26			maintainers are informed of them and that there are bugs in the
27			Debian BTS, writing patches and doing NMUs as necessary, and
28			tracking the fixed packages and working with the Debian Release
29			Managers to make sure fixes reach testing quickly. Thanks to this
30			work we now have
31	joeyh	1477	<a href="http://spohr.debian.org/~joeyh/testing-security.html">a
32	joeyh	707	web page</a>, that tracks open security holes in testing.
33	joeyh	381	</p>
34
35			<h1>Future plans</h1>
36
37			<p>
38			After sarge is released and once the autobuilder infrastructure is
39			in place, we hope to begin issuing security advisories for holes in
40			testing, and providing fixed packages immediatly on
41			security.debian.org or a similar site, without the regular delay
42			involved in getting a fixed package into testing.
43			</p>
44
45			<h1>Data sources</h1>
46
47			<p>
48			Currently we're limiting ourselves to tracking security holes that
49			have been the subject of a Debian Security Advisory, or are in the
50			<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
51			It's very helpful to us if bug reports and Debian changelog entries
52			include CVE numbers for security holes. If you don't have a CVE
53			number, we can help you get one.
54			</p>
55
56			<p>
57			The team maintains a database (actually some files) that contain
58	joeyh	384	our notes about all CVEs, CANs, and DSAs. This database is available
59	joeyh	381	<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
60			and may be checked out from
61			<tt>svn://svn.debian.org/secure-testing/</tt>.
62			</p>
63
64			<h1>Members and contacting the team</h1>
65
66			<p>
67			While some individual members may have sources of prior information
68			about security advisories (such as vendor-sec), the team as a whole
69			operates only on publically available information. Any Debian
70			developers with an interest in participating are welcome to join
71			the team, and we also welcome others who have the skills and desire
72			to help us.
73			</p>
74
75			<p>
76			The team can be contacted through its mailing list,
77	djoume-guest	1230	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>.
78	joeyh	381	There is a second mailing list,
79	djoume-guest	1230	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
80	joeyh	381	that receives commit messages to our repository. An
81			<a href="http://alioth.debian.org/projects/secure-testing/">alioth
82			project page</a> is also available.
83			</p>
84	joeyh	383
85			<hr>
86
87			$Id$
88
89	joeyh	381	</html>