secure-testing/website/index.html

<html>
        <head>
        <title>Debian testing security team</title>
        </head>

        <h1>Goals</h1>
        
        <p>
        The Debian testing security team is a group of debian developers
        and users who are working to improve the state of security in
        Debian's testing branch. Lack of security support for testing has
        long been one of the key problems to using testing, and we aim to
        eventually provide full security support for testing.
        </p>

        <h1>Activities</h1>
        
        <p>
        The team's first activity was to check all security holes since the
        release of Debian 3.0, to ensure that all the holes are fixed in
        sarge and to provide a baseline for future work.
        </p>
        
        <p>
        Now the team is tracking new holes on an ongoing basis, making sure
        maintainers are informed of them and that there are bugs in the
        Debian BTS, writing patches and doing NMUs as necessary, and
        tracking the fixed packages and working with the Debian Release
        Managers to make sure fixes reach testing quickly. Thanks to this
        work we now have
        <a href="http://merkel.debian.org/~joeyh/testing-security.html">a
        web page</a>, that tracks open security holes in testing. (An 
        <a href="http://newraff.debian.org/~joeyh/testing-security.html">alternate
        page</a> tracks archive changes more quickly, but may be
        innaccurate due to bugs in madison on newraff.)
        </p>

        <h1>Future plans</h1>

        <p>
        After sarge is released and once the autobuilder infrastructure is
        in place, we hope to begin issuing security advisories for holes in
        testing, and providing fixed packages immediatly on
        security.debian.org or a similar site, without the regular delay
        involved in getting a fixed package into testing.
        </p>
        
        <h1>Data sources</h1>

        <p>
        Currently we're limiting ourselves to tracking security holes that
        have been the subject of a Debian Security Advisory, or are in the
        <a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
        It's very helpful to us if bug reports and Debian changelog entries
        include CVE numbers for security holes. If you don't have a CVE
        number, we can help you get one.
        </p>

        <p>
        The team maintains a database (actually some files) that contain
        our notes about all CVEs, CANs, and DSAs. This dataase is available
        <a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
        and may be checked out from
        <tt>svn://svn.debian.org/secure-testing/</tt>.
        </p>
        
        <h1>Members and contacting the team</h1>
        
        <p>
        While some individual members may have sources of prior information
        about security advisories (such as vendor-sec), the team as a whole
        operates only on publically available information. Any Debian
        developers with an interest in participating are welcome to join
        the team, and we also welcome others who have the skills and desire
        to help us.
        </p>

        <p>
        The team can be contacted through its mailing list,
        <a href="secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a>.
        There is a second mailing list, 
        <a href="secure-testing-commits@lists.alioth.debian.org">secure-testing-commits@lists.alioth.debian.org</a>
        that receives commit messages to our repository. An 
        <a href="http://alioth.debian.org/projects/secure-testing/">alioth
        project page</a> is also available.
        </p>

        <hr>

        $Id$
        
</html>
1	joeyh	381	<html>
2			<head>
3			<title>Debian testing security team</title>
4			</head>
5
6			<h1>Goals</h1>
7
8			<p>
9			The Debian testing security team is a group of debian developers
10			and users who are working to improve the state of security in
11			Debian's testing branch. Lack of security support for testing has
12			long been one of the key problems to using testing, and we aim to
13			eventually provide full security support for testing.
14			</p>
15
16			<h1>Activities</h1>
17
18			<p>
19			The team's first activity was to check all security holes since the
20			release of Debian 3.0, to ensure that all the holes are fixed in
21			sarge and to provide a baseline for future work.
22			</p>
23
24			<p>
25			Now the team is tracking new holes on an ongoing basis, making sure
26			maintainers are informed of them and that there are bugs in the
27			Debian BTS, writing patches and doing NMUs as necessary, and
28			tracking the fixed packages and working with the Debian Release
29			Managers to make sure fixes reach testing quickly. Thanks to this
30			work we now have
31			<a href="http://merkel.debian.org/~joeyh/testing-security.html">a
32			web page</a>, that tracks open security holes in testing. (An
33			<a href="http://newraff.debian.org/~joeyh/testing-security.html">alternate
34			page</a> tracks archive changes more quickly, but may be
35			innaccurate due to bugs in madison on newraff.)
36			</p>
37
38			<h1>Future plans</h1>
39
40			<p>
41			After sarge is released and once the autobuilder infrastructure is
42			in place, we hope to begin issuing security advisories for holes in
43			testing, and providing fixed packages immediatly on
44			security.debian.org or a similar site, without the regular delay
45			involved in getting a fixed package into testing.
46			</p>
47
48			<h1>Data sources</h1>
49
50			<p>
51			Currently we're limiting ourselves to tracking security holes that
52			have been the subject of a Debian Security Advisory, or are in the
53			<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
54			It's very helpful to us if bug reports and Debian changelog entries
55			include CVE numbers for security holes. If you don't have a CVE
56			number, we can help you get one.
57			</p>
58
59			<p>
60			The team maintains a database (actually some files) that contain
61			our notes about all CVEs, CANs, and DSAs. This dataase is available
62			<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
63			and may be checked out from
64			<tt>svn://svn.debian.org/secure-testing/</tt>.
65			</p>
66
67			<h1>Members and contacting the team</h1>
68
69			<p>
70			While some individual members may have sources of prior information
71			about security advisories (such as vendor-sec), the team as a whole
72			operates only on publically available information. Any Debian
73			developers with an interest in participating are welcome to join
74			the team, and we also welcome others who have the skills and desire
75			to help us.
76			</p>
77
78			<p>
79			The team can be contacted through its mailing list,
80			<a href="secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a>.
81			There is a second mailing list,
82			<a href="secure-testing-commits@lists.alioth.debian.org">secure-testing-commits@lists.alioth.debian.org</a>
83			that receives commit messages to our repository. An
84			<a href="http://alioth.debian.org/projects/secure-testing/">alioth
85			project page</a> is also available.
86			</p>
87	joeyh	383
88			<hr>
89
90			$Id$
91
92	joeyh	381	</html>