| 1 |
<html> |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| 2 |
<head> |
<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso8859-1"> |
| 3 |
<title>Debian testing security team</title> |
<title>Debian testing security team</title> |
| 4 |
|
<link type="text/css" rel="stylesheet" href="style.css"> |
| 5 |
|
<link rel="shortcut icon" href="http://www.debian.org/favicon.ico"> |
| 6 |
</head> |
</head> |
| 7 |
|
<body> |
| 8 |
|
<div align="center"> |
| 9 |
|
<a href="http://www.debian.org/"> |
| 10 |
|
|
| 11 |
<h1>Goals</h1> |
<img src="http://www.debian.org/logos/openlogo-nd-50.png" border="0" hspace="0" vspace="0" alt=""></a> |
| 12 |
|
<a href="http://www.debian.org/"> |
| 13 |
|
<img src="http://www.debian.org/Pics/debian.png" border="0" hspace="0" vspace="0" alt="Debian Project"></a> |
| 14 |
|
</div> |
| 15 |
|
<br /> |
| 16 |
|
<table class="reddy" width="100%"> |
| 17 |
|
<tr> |
| 18 |
|
<td class="reddy"> |
| 19 |
|
<img src="http://www.debian.org/Pics/red-upperleft.png" align="left" border="0" hspace="0" vspace="0" |
| 20 |
|
alt="" width="15" height="16"></td> |
| 21 |
|
|
| 22 |
|
<td rowspan="2" class="reddy">Debian testing security team</td> |
| 23 |
|
<td class="reddy"> |
| 24 |
|
<img src="http://www.debian.org/Pics/red-upperright.png" align="right" border="0" hspace="0" vspace="0" |
| 25 |
|
alt="" width="16" height="16"></td> |
| 26 |
|
</tr> |
| 27 |
|
<tr> |
| 28 |
|
<td class="reddy"> |
| 29 |
|
<img src="http://www.debian.org/Pics/red-lowerleft.png" align="left" border="0" hspace="0" vspace="0" |
| 30 |
|
alt="" width="16" height="16"></td> |
| 31 |
|
<td class="reddy"> |
| 32 |
|
|
| 33 |
|
<img src="http://www.debian.org/Pics/red-lowerright.png" align="right" border="0" hspace="0" vspace="0" |
| 34 |
|
alt="" width="15" height="16"></td> |
| 35 |
|
</tr> |
| 36 |
|
</table> |
| 37 |
|
|
| 38 |
|
<h2>Goals</h2> |
| 39 |
|
|
| 40 |
<p> |
<p> |
| 41 |
The Debian testing security team is a group of debian developers |
The Debian testing security team is a group of Debian developers |
| 42 |
and users who are working to improve the state of security in |
and users who are working to keep Debian's testing branch in good |
| 43 |
Debian's testing branch. Lack of security support for testing has |
shape with respect to security. Since packages migrate to testing |
| 44 |
long been one of the key problems to using testing, and we aim to |
from Debian's unstable branch, a secondary goal of the team is to |
| 45 |
eventually provide full security support for testing. |
improve the state of security in unstable. |
| 46 |
</p> |
</p> |
| 47 |
|
|
| 48 |
|
|
| 49 |
<h1>Activities</h1> |
<h2><a href="http://security-tracker.debian.net/">Security Tracker</a></h2> |
| 50 |
|
|
| 51 |
<p> |
<p> |
| 52 |
The team's first activity was to check all security holes since the |
The team is tracking new security holes on an ongoing basis, making sure |
| 53 |
release of Debian 3.0, to ensure that all the holes are fixed in |
maintainers are informed of them and filing bug reports in the |
| 54 |
sarge and to provide a baseline for future work. |
Debian BTS. The result of this work is availably in the |
| 55 |
|
<a href="http://security-tracker.debian.net/">Security Tracker web page</a>. |
| 56 |
|
This tracker contains information about all branches of Debian and is also |
| 57 |
|
used by the stable security team. |
| 58 |
</p> |
</p> |
| 59 |
|
|
| 60 |
<p> |
<h2>Security support for testing</h2> |
|
Now the team is tracking new holes on an ongoing basis, making sure |
|
|
maintainers are informed of them and that there are bugs in the |
|
|
Debian BTS, writing patches and doing NMUs as necessary, and |
|
|
tracking the fixed packages and working with the Debian Release |
|
|
Managers to make sure fixes reach testing quickly. Thanks to this |
|
|
work we now have |
|
|
<a href="http://spohr.debian.org/~joeyh/testing-security.html">a |
|
|
web page</a>, that tracks open security holes in testing. |
|
|
</p> |
|
| 61 |
|
|
| 62 |
<p> |
<p>The team is providing security support for Debian's testing branch by</p> |
|
The team is in the process of beginning full security support for |
|
|
testing by providing security advisories and fixes built against |
|
|
testing without the usual delays sometimes involved in getting a |
|
|
security fix into testing. These will be announced on the |
|
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a> |
|
|
mailing list, and will be available in the following apt |
|
|
repository: |
|
|
<pre> |
|
|
deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free |
|
|
deb-src http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free |
|
|
</pre> |
|
|
The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>. |
|
|
</p> |
|
| 63 |
|
|
| 64 |
<h1>Data sources</h1> |
<ul> |
| 65 |
|
<li>writing patches and doing NMUs to unstable as necessary</li> |
| 66 |
|
|
| 67 |
<p> |
<li>tracking the fixed packages and working with the Debian Release |
| 68 |
Currently we're limiting ourselves to tracking security holes that |
Managers to make sure fixes reach testing quickly</li> |
|
have been the subject of a Debian Security Advisory, or are in the |
|
|
<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database. |
|
|
It's very helpful to us if bug reports and Debian changelog entries |
|
|
include CVE numbers for security holes. If you don't have a CVE |
|
|
number, we can help you get one. |
|
|
</p> |
|
|
|
|
|
<p> |
|
|
The team maintains a database (actually some files) that contain |
|
|
our notes about all CVEs, CANs, and DSAs. This database is available |
|
|
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>, |
|
|
and may be checked out from |
|
|
<tt>svn://svn.debian.org/secure-testing/</tt>. |
|
|
</p> |
|
|
|
|
|
<h1>Uploads to the secure-testing repository</h1> |
|
| 69 |
|
|
| 70 |
<p> |
<li>if this process is too slow, providing fixed packages built against testing |
| 71 |
To upload a package to the secure-testing repository, any Debian |
in the <em>testing-security apt repository</em>: |
|
developer may follow this checklist: |
|
|
<ol> |
|
|
<li>Only upload changes that have already been made in |
|
|
unstable and are blocked by reaching testing by some other |
|
|
issues. This is both to keep things in sync once the |
|
|
new version from unstable reaches testing, and to avoid |
|
|
breaking secure-testing too badly with fixes that have not |
|
|
been tested first in unstable.</li> |
|
|
<li>Only make uploads for issues that the testing security |
|
|
team plans to issue a DTSA announcement for. It is best to |
|
|
contact the team first to avoid duplicate work.</li> |
|
|
<li>Use a version number that is less than the version |
|
|
number of the fix in unstable, but greater than the version |
|
|
number of the fix in testing. For example, if the fix is in |
|
|
a new upstream version 1.0-1 in unstable, upload version |
|
|
1.0-0.1etch1 to secure-testing. If the fix is in version |
|
|
1.5-10 in unstable, use version 1.5-9etch1 in |
|
|
secure-testing.</li> |
|
|
<li>Use "testing" as the distribution in the |
|
|
changelog.</li> |
|
|
<li>Build the package in a testing chroot using pbuilder |
|
|
so that all the dependencies are ok. Be sure to build with |
|
|
the -sa switch to include source, unless the source is |
|
|
already in the secure-testing archive. |
|
|
</li> |
|
|
<li>Test the package.</li> |
|
|
<li>Sign the package. Any Debian developer in the keyring |
|
|
can do so.</li> |
|
|
<li>Upload to <tt>secure-testing-master.debian.net</tt>. |
|
|
Here is a dput.cf snippet for that upload queue: |
|
| 72 |
<pre> |
<pre> |
| 73 |
[secure-testing] |
deb http://security.debian.org lenny/updates main contrib non-free |
| 74 |
fqdn = secure-testing-master.debian.net |
deb-src http://security.debian.org lenny/updates main contrib non-free |
|
method = ftp |
|
|
incoming = /pub/UploadQueue/ |
|
|
login = anonymous |
|
| 75 |
</pre> |
</pre> |
| 76 |
</li> |
However, the majority of security fixes reaches testing by migrating from |
| 77 |
<li>Once your fix is accepted, a mail will be sent to |
unstable. </li> |
| 78 |
the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a> |
</ul> |
| 79 |
list and, it will become available in this apt repository, |
|
| 80 |
including builds for all other architectures: |
<p>Note that in order to take advantage of the security support for testing, |
| 81 |
<pre> |
you must <em>update your system on a regular basis</em>.</p> |
| 82 |
deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free |
|
| 83 |
deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free |
<h3>Limitations</h3> |
|
</pre> |
|
|
Build logs can be found |
|
|
<a href="http://experimental.debian.net/">here</a> with |
|
|
distribution-name <i>etch-secure</i>. |
|
|
Once everything is ready, contact a team member to issue a |
|
|
DSTA. |
|
|
</li> |
|
|
</ol> |
|
|
|
|
|
<p> |
|
|
To issue a DTSA, team members follow this checklist: |
|
|
<ol> |
|
|
<li>Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number |
|
|
<li>Prepare the update and fill out the .adv template |
|
|
<li>Make sure everything is ready. |
|
|
<li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li> |
|
|
<li>svn add DTSA-n-1; svn commit</li> |
|
|
<li>Edit data/DTSA/hints/yourname, and add a hint to make dtsasync |
|
|
propigate the update from etch-proposed-updates to etch. |
|
|
Commit the file and wait 15 minutes for the dtsasync run, |
|
|
then check the <a href="logs/dtsasync">log file</a> and/or |
|
|
upgrade a test machine.</li> |
|
|
<li>cd data/DTSA; ./sndadvisory DTSA-n-1</li> |
|
|
</ol> |
|
|
</p> |
|
|
|
|
|
<p> |
|
|
Note that the above instructions are provisional until we get |
|
|
everything set up. |
|
|
</p> |
|
| 84 |
|
|
| 85 |
<h1>Members and contacting the team</h1> |
<p>For several reasons, the security support for testing cannot be expected to |
| 86 |
|
be of the same quality as for Debian's stable branch:</p> |
| 87 |
|
|
| 88 |
<p> |
<ul> |
| 89 |
While some individual members may have sources of prior information |
<li>Updates for testing-security usually receive less testing than updates |
| 90 |
about security advisories (such as vendor-sec), the team as a whole |
for stable-security.</li> |
|
operates only on publically available information. Any Debian |
|
|
developers with an interest in participating are welcome to join |
|
|
the team, and we also welcome others who have the skills and desire |
|
|
to help us. |
|
|
</p> |
|
| 91 |
|
|
| 92 |
<p> |
<li>Updates for embargoed issues take longer because the testing security |
| 93 |
The team can be contacted through its mailing list, |
team does not have access to embargoed information.</li> |
| 94 |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>. |
|
| 95 |
Our irc channel is #debian-security on the OFTC network. |
<li>Testing is changing all the time which increases the likelihood of problems |
| 96 |
There is a second mailing list, |
with the build infrastructure. Such problems can delay security updates in |
| 97 |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a> |
testing.</li> |
| 98 |
that receives commit messages to our repository, new team members |
</ul> |
|
are encouraged to join it. |
|
|
The list |
|
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a> |
|
|
receives automatic annoucements of fixed packages uploaded to our |
|
|
repository. |
|
|
An <a href="http://alioth.debian.org/projects/secure-testing/">alioth |
|
|
project page</a> is also available. |
|
|
</p> |
|
| 99 |
|
|
| 100 |
<hr> |
<h3>Announcements</h3> |
| 101 |
|
|
| 102 |
$Id$ |
<p> Daily notifications about fixed security issues are sent to the |
| 103 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a> |
| 104 |
|
mailing list.</p> |
| 105 |
|
|
| 106 |
</html> |
<h2>Contacting the team</h2> |
| 107 |
|
|
| 108 |
|
<p>To contact the team, use</p> |
| 109 |
|
<ul> |
| 110 |
|
<li> the |
| 111 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">team mailing list</a> at |
| 112 |
|
<a href="mailto:secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a> |
| 113 |
|
(Please note that this is a public list, and as such, you should not send details of undisclosed |
| 114 |
|
vulnerabilities to this address.)</li> |
| 115 |
|
|
| 116 |
|
<li>IRC: Our irc channel is #debian-security on the OFTC network.</li> |
| 117 |
|
</ul> |
| 118 |
|
|
| 119 |
|
<p>For issues related to the Debian security tracker, use the</p> |
| 120 |
|
<ul></li><a href="http://lists.debian.org/debian-security-tracker/">security tracker mailing list</a> at |
| 121 |
|
<a href="mailto:debian-security-tracker@lists.debian.org">debian-security-tracker@lists.debian.org</a> |
| 122 |
|
</li> |
| 123 |
|
</ul> |
| 124 |
|
|
| 125 |
|
|
| 126 |
|
</p> |
| 127 |
|
<h2>More information</h2> |
| 128 |
|
|
| 129 |
|
<ul> |
| 130 |
|
<li><a href="uploading.html">Uploading to the testing-security repository</a></li> |
| 131 |
|
|
| 132 |
|
<li><a href="helping.html">Helping the testing security team</a></li> |
| 133 |
|
|
| 134 |
|
<li>There is a <a href="http://svn.debian.org/wsvn/secure-testing">subversion repository</a> |
| 135 |
|
holding the data for the <a href="http://security-tracker.debian.net/">Debian |
| 136 |
|
security tracker</a>. It may be checked out from |
| 137 |
|
<tt>svn://svn.debian.org/secure-testing/</tt>. There is also a |
| 138 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">mailing list</a> |
| 139 |
|
commit messages.</li> |
| 140 |
|
|
| 141 |
|
<li><a href="http://alioth.debian.org/projects/secure-testing/">Alioth |
| 142 |
|
project page</a> with a list of team members.</li> |
| 143 |
|
<li><a href="http://www.cve.mitre.org/cve/index.html">Mitre's CVE database</a></li> |
| 144 |
|
</ul> |
| 145 |
|
|
| 146 |
|
<h3>Internal information</h3> |
| 147 |
|
<ul> |
| 148 |
|
<li><a href="http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0">Introduction |
| 149 |
|
to our processes</a></li> |
| 150 |
|
|
| 151 |
|
<li><a href="http://www.sfritsch.de/~stf/secure-testing-buildlogs.html">Buildlog status</a></li> |
| 152 |
|
|
| 153 |
|
<li><a href="http://klecker.debian.org/~jmm/status.html">Queue status on klecker</a></li> |
| 154 |
|
|
| 155 |
|
<li>Information about accepted uploads to testing-security is sent to <a |
| 156 |
|
href="http://lists.debian.org/debian-testing-changes/">debian-testing-changes</a></li> |
| 157 |
|
</ul> |
| 158 |
|
|
| 159 |
|
|
| 160 |
|
|
| 161 |
|
<hr><p>$Id$</p> |
| 162 |
|
<a href="http://validator.w3.org/check?uri=referer"> |
| 163 |
|
<img border="0" src="http://www.w3.org/Icons/valid-html401" alt="Valid HTML 4.01!" height="31" width="88"></a> |
| 164 |
|
<a href="http://jigsaw.w3.org/css-validator/check/referer"> |
| 165 |
|
<img border="0" src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" |
| 166 |
|
height="31" width="88"></a> |
| 167 |
|
|
| 168 |
|
|
| 169 |
|
</body></html> |
Parent Directory
| 
Revision Log
| 
Patch