| 28 |
tracking the fixed packages and working with the Debian Release |
tracking the fixed packages and working with the Debian Release |
| 29 |
Managers to make sure fixes reach testing quickly. Thanks to this |
Managers to make sure fixes reach testing quickly. Thanks to this |
| 30 |
work we now have |
work we now have |
| 31 |
<a href="http://merkel.debian.org/~joeyh/testing-security.html">a |
<a href="http://spohr.debian.org/~joeyh/testing-security.html">a |
| 32 |
web page</a>, that tracks open security holes in testing. (An |
web page</a>, that tracks open security holes in testing. |
|
<a href="http://newraff.debian.org/~joeyh/testing-security.html">alternate |
|
|
page</a> tracks archive changes more quickly, but may be |
|
|
innaccurate due to bugs in madison on newraff.) |
|
| 33 |
</p> |
</p> |
| 34 |
|
|
|
<h1>Future plans</h1> |
|
|
|
|
| 35 |
<p> |
<p> |
| 36 |
After sarge is released and once the autobuilder infrastructure is |
The team is in the process of beginning full security support for |
| 37 |
in place, we hope to begin issuing security advisories for holes in |
testing by providing security advisories and fixes built against |
| 38 |
testing, and providing fixed packages immediatly on |
testing without the usual delays sometimes involved in getting a |
| 39 |
security.debian.org or a similar site, without the regular delay |
security fix into testing. These will be announced on the |
| 40 |
involved in getting a fixed package into testing. |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a> |
| 41 |
|
mailing list, and will be available in the following apt |
| 42 |
|
repository: |
| 43 |
|
<pre> |
| 44 |
|
deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free |
| 45 |
|
</pre> |
| 46 |
</p> |
</p> |
| 47 |
|
|
| 48 |
<h1>Data sources</h1> |
<h1>Data sources</h1> |
| 58 |
|
|
| 59 |
<p> |
<p> |
| 60 |
The team maintains a database (actually some files) that contain |
The team maintains a database (actually some files) that contain |
| 61 |
our notes about all CVEs, CANs, and DSAs. This dataase is available |
our notes about all CVEs, CANs, and DSAs. This database is available |
| 62 |
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>, |
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>, |
| 63 |
and may be checked out from |
and may be checked out from |
| 64 |
<tt>svn://svn.debian.org/secure-testing/</tt>. |
<tt>svn://svn.debian.org/secure-testing/</tt>. |
| 65 |
</p> |
</p> |
| 66 |
|
|
| 67 |
|
<h1>Uploads to the secure-testing repository</h1> |
| 68 |
|
|
| 69 |
|
<p> |
| 70 |
|
To upload a package to the secure-testing repository, follow this |
| 71 |
|
checklist: |
| 72 |
|
<ol> |
| 73 |
|
<li>Only upload changes that have already been made in |
| 74 |
|
unstable and are blocked by reaching testing by some other |
| 75 |
|
issues. This is both to keep things in sync once the |
| 76 |
|
new version from unstable reaches testing, and to avoid |
| 77 |
|
breaking secure-testing too badly with fixes that have not |
| 78 |
|
been tested first in unstable.</li> |
| 79 |
|
<li>Only make uploads for issues that the testing security |
| 80 |
|
team plans to issue a DTSA announcement for.</li> |
| 81 |
|
<li>Use a version number that is less than the version |
| 82 |
|
number of the fix in unstable, but greater than the version |
| 83 |
|
number of the fix in testing. For example, if the fix is in |
| 84 |
|
a new upstream version 1.0-1 in unstable, upload version |
| 85 |
|
1.0-0.1etch1 to secure-testing. If the fix is in version |
| 86 |
|
1.5-10 in unstable, use version 1.5-9etch1 in |
| 87 |
|
secure-testing.</li> |
| 88 |
|
<li>Use "testing" as the distribution in the |
| 89 |
|
changelog.</li> |
| 90 |
|
<li>Build the package in a testing chroot using pbuilder |
| 91 |
|
so that all the dependencies are ok.</li> |
| 92 |
|
<li>Test the package.</li> |
| 93 |
|
<li>Sign the package. Any Debian developer in the keyring |
| 94 |
|
can do so.</li> |
| 95 |
|
<li>Upload to <tt>secure-testing-master.debian.net</tt>. |
| 96 |
|
Here is a dput.cf snippet for that upload queue: |
| 97 |
|
<pre> |
| 98 |
|
[secure-testing] |
| 99 |
|
fqdn = secure-testing-master.debian.net |
| 100 |
|
method = ftp |
| 101 |
|
incoming = /pub/UploadQueue/ |
| 102 |
|
login = anonymous |
| 103 |
|
</pre> |
| 104 |
|
</li> |
| 105 |
|
<li>Once your fix is accepted, a mail will be sent to |
| 106 |
|
the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a> |
| 107 |
|
list and, it will become available in this apt repository, |
| 108 |
|
including builds for all other architectures: |
| 109 |
|
<pre> |
| 110 |
|
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free |
| 111 |
|
</pre> |
| 112 |
|
Build logs can be found |
| 113 |
|
<a href="http://experimental.debian.net/">here</a>. |
| 114 |
|
</li> |
| 115 |
|
<li> |
| 116 |
|
Once everything is ready, contact a team member to create a DSTA annoucement |
| 117 |
|
(procedure pending), contact a secure-testing-master admin |
| 118 |
|
to move the upload from etch-proposed-updates to |
| 119 |
|
etch (using something like this, but the procedure is still being worked out: |
| 120 |
|
madison -s etch-proposed-updates -f heidi -S $package | sudo -u katie heidi -a etch) |
| 121 |
|
and send the DSTA to secure-testing-announce. |
| 122 |
|
</li> |
| 123 |
|
</ol> |
| 124 |
|
</p> |
| 125 |
|
|
| 126 |
|
<p> |
| 127 |
|
Note that the above instructions are provisional until we get |
| 128 |
|
everything set up. |
| 129 |
|
</p> |
| 130 |
|
|
| 131 |
<h1>Members and contacting the team</h1> |
<h1>Members and contacting the team</h1> |
| 132 |
|
|
| 133 |
<p> |
<p> |
| 141 |
|
|
| 142 |
<p> |
<p> |
| 143 |
The team can be contacted through its mailing list, |
The team can be contacted through its mailing list, |
| 144 |
<a href="secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a>. |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>. |
| 145 |
There is a second mailing list, |
There is a second mailing list, |
| 146 |
<a href="secure-testing-commits@lists.alioth.debian.org">secure-testing-commits@lists.alioth.debian.org</a> |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a> |
| 147 |
that receives commit messages to our repository. An |
that receives commit messages to our repository, new team members |
| 148 |
<a href="http://alioth.debian.org/projects/secure-testing/">alioth |
are encouraged to join it. |
| 149 |
|
The list |
| 150 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a> |
| 151 |
|
receives automatic annoucements of fixed packages uploaded to our |
| 152 |
|
repository. |
| 153 |
|
An <a href="http://alioth.debian.org/projects/secure-testing/">alioth |
| 154 |
project page</a> is also available. |
project page</a> is also available. |
| 155 |
</p> |
</p> |
| 156 |
|
|
Parent Directory
| 
Revision Log
| 
Patch