| 38 |
<h2>Goals</h2> |
<h2>Goals</h2> |
| 39 |
|
|
| 40 |
<p> |
<p> |
| 41 |
The Debian testing security team is a group of debian developers |
The Debian testing security team is a group of Debian developers |
| 42 |
and users who are working to improve the state of security in |
and users who are working to keep Debian's testing branch in good |
| 43 |
Debian's testing branch. Lack of security support for testing has |
shape with respect to security. Since packages migrate to testing |
| 44 |
long been one of the key problems to using testing, and we aim to |
from Debian's unstable branch, a secondary goal of the team is to |
| 45 |
eventually provide full security support for testing. |
improve the state of security in unstable. |
| 46 |
</p> |
</p> |
| 47 |
|
|
| 48 |
|
|
| 49 |
<h2>Activities</h2> |
<h2><a href="http://security-tracker.debian.net/">Security Tracker</a></h2> |
| 50 |
|
|
| 51 |
<p> |
<p> |
| 52 |
The team's first activity was to check all security holes since the |
The team is tracking new security holes on an ongoing basis, making sure |
| 53 |
release of Debian 3.0, to ensure that all the holes are fixed in |
maintainers are informed of them and filing bug reports in the |
| 54 |
sarge and to provide a baseline for future work. |
Debian BTS. The result of this work is availably in the |
| 55 |
|
<a href="http://security-tracker.debian.net/">Security Tracker web page</a>. |
| 56 |
|
This tracker contains information about all branches of Debian and is also |
| 57 |
|
used by the stable security team. |
| 58 |
</p> |
</p> |
| 59 |
|
|
| 60 |
<p> |
<h2>Security support for testing</h2> |
|
Now the team is tracking new holes on an ongoing basis, making sure |
|
|
maintainers are informed of them and that there are bugs in the |
|
|
Debian BTS, writing patches and doing NMUs as necessary, and |
|
|
tracking the fixed packages and working with the Debian Release |
|
|
Managers to make sure fixes reach testing quickly. Thanks to this |
|
|
work we now have |
|
|
<a href="http://spohr.debian.org/~joeyh/testing-security.html">a |
|
|
web page</a>, that tracks open security holes in testing. |
|
|
</p> |
|
| 61 |
|
|
| 62 |
<p> |
<p>The team is providing security support for Debian's testing branch by</p> |
|
The team is in the process of beginning full security support for |
|
|
testing by providing security advisories and fixes built against |
|
|
testing without the usual delays sometimes involved in getting a |
|
|
security fix into testing. These will be announced on the |
|
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a> |
|
|
mailing list, and will be available in the following apt |
|
|
repository: |
|
|
<pre> |
|
|
deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free |
|
|
deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free |
|
|
</pre> |
|
|
These are also available from this <a href='list.html'>list</a>.<br> |
|
|
The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>. |
|
| 63 |
|
|
| 64 |
<h2>Data sources</h2> |
<ul> |
| 65 |
|
<li>writing patches and doing NMUs to unstable as necessary</li> |
|
<p> |
|
|
Currently we're limiting ourselves to tracking security holes that |
|
|
have been the subject of a Debian Security Advisory, or are in the |
|
|
<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database. |
|
|
It's very helpful to us if bug reports and Debian changelog entries |
|
|
include CVE numbers for security holes. If you don't have a CVE |
|
|
number, we can help you get one. |
|
|
</p> |
|
|
|
|
|
<p> |
|
|
The team maintains a database (actually some files) that contain |
|
|
our notes about all CVEs and DSAs. This database is available |
|
|
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>, |
|
|
and may be checked out from |
|
|
<tt>svn://svn.debian.org/secure-testing/</tt>. |
|
|
</p> |
|
| 66 |
|
|
| 67 |
<h2>Uploads to the secure-testing repository</h2> |
<li>tracking the fixed packages and working with the Debian Release |
| 68 |
|
Managers to make sure fixes reach testing quickly</li> |
| 69 |
|
|
| 70 |
<p> |
<li>if this process is too slow, providing fixed packages built against testing |
| 71 |
To upload a package to the secure-testing repository, any Debian |
in the <em>testing-security apt repository</em>: |
|
developer may follow this checklist: |
|
|
<ol> |
|
|
<li>Only upload changes that have already been made in |
|
|
unstable and are blocked by reaching testing by some other |
|
|
issues. This is both to keep things in sync once the |
|
|
new version from unstable reaches testing, and to avoid |
|
|
breaking secure-testing too badly with fixes that have not |
|
|
been tested first in unstable.</li> |
|
|
<li>Only make uploads for issues that the testing security |
|
|
team plans to issue a DTSA announcement for. |
|
|
Contact the team first to avoid duplicate work.</li> |
|
|
<li>Use a version number that is less than the version |
|
|
number of the fix in unstable, but greater than the version |
|
|
number of the fix in testing. For example, if the fix is in |
|
|
a new upstream version 1.0-1 in unstable, upload version |
|
|
1.0-0.1etch2 to secure-testing. If the fix is in version |
|
|
1.5-10 in unstable, use version 1.5-9etch2 in |
|
|
secure-testing.</li> |
|
|
<li>Use "testing" as the distribution in the |
|
|
changelog.</li> |
|
|
<li>Build the package in a testing chroot using pbuilder |
|
|
so that all the dependencies are ok. Be sure to build with |
|
|
the -sa switch to include source, unless the source is |
|
|
already in the secure-testing archive. |
|
|
</li> |
|
|
<li>Test the package.</li> |
|
|
<li>Sign the package. Any Debian developer in the keyring |
|
|
can do so.</li> |
|
|
<li>Upload to <tt>security-master.debian.org</tt>. |
|
|
Here is a dput.cf snippet for that upload queue: |
|
|
<pre> |
|
|
[secured-testing] |
|
|
fqdn = security-master.debian.org |
|
|
method = ftp |
|
|
incoming = /pub/OpenSecurityUploadQueue/ |
|
|
login = anonymous |
|
|
</pre> |
|
|
</li> |
|
|
<li>Once your fix is accepted, a mail will be sent to |
|
|
the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a> |
|
|
list and, it will become available in this apt repository, |
|
|
including builds for all other architectures: |
|
| 72 |
<pre> |
<pre> |
| 73 |
deb http://security.debian.org/ testing/updates main contrib non-free |
deb http://security.debian.org lenny/updates main contrib non-free |
| 74 |
deb-src http://security.debian.org/ testing/updates main contrib non-free |
deb-src http://security.debian.org lenny/updates main contrib non-free |
| 75 |
</pre> |
</pre> |
| 76 |
Build logs are mailed to the team, and must be signed. Once everything is ok, a team member will issue a DTSA. |
However, the majority of security fixes reaches testing by migrating from |
| 77 |
</li> |
unstable. </li> |
| 78 |
</ol> |
</ul> |
| 79 |
|
|
| 80 |
|
<p>Note that in order to take advantage of the security support for testing, |
| 81 |
|
you must <em>update your system on a regular basis</em>.</p> |
| 82 |
|
|
| 83 |
|
<h3>Limitations</h3> |
| 84 |
|
|
| 85 |
<p> |
<p>For several reasons, the security support for testing cannot be expected to |
| 86 |
To issue a DTSA, team members follow this checklist (note: this may change once newamber is fixed to use our templates): |
be of the same quality as for Debian's stable branch:</p> |
| 87 |
<ol> |
|
| 88 |
<li>Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number |
<ul> |
| 89 |
<li>Prepare the update and fill out the .adv template |
<li>Updates for testing-security usually receive less testing than updates |
| 90 |
<li>Make sure everything is ready. |
for stable-security.</li> |
|
<li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li> |
|
|
<li>check DTSA-n-1 and DTSA-n-1.html. Remove TODO line for |
|
|
advisory from the list file</li> |
|
|
<li>mv DTSA-n-1.html ../../website/DTSA/</li> |
|
|
<li>cd ../../website; ../bin/updatehtmllist --output list.html ../data/DTSA/list</li> |
|
|
<li>cd ../; svn add website/DTSA/DTSA-n-1.html; svn commit</li> |
|
|
<li>cd data/DTSA; ./sndadvisory DTSA-n-1</li> |
|
|
<li>Edit CVE/list and DSA/list to list the version of the |
|
|
package that is in the secure-testing archive as fixing the |
|
|
holes. This is unfortunatly currently necessary for the fix to |
|
|
appear as a fix on the tracking page.</li> |
|
|
</ol> |
|
| 91 |
|
|
| 92 |
<p> |
<li>Updates for embargoed issues take longer because the testing security |
| 93 |
Note that the above instructions are provisional until we get |
team does not have access to embargoed information.</li> |
| 94 |
everything set up. |
|
| 95 |
</p> |
<li>Testing is changing all the time which increases the likelihood of problems |
| 96 |
|
with the build infrastructure. Such problems can delay security updates in |
| 97 |
|
testing.</li> |
| 98 |
|
</ul> |
| 99 |
|
|
| 100 |
|
<h3>Announcements</h3> |
| 101 |
|
|
| 102 |
<h2>Members and contacting the team</h2> |
<p> Daily notifications about fixed security issues are sent to the |
| 103 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a> |
| 104 |
|
mailing list.</p> |
| 105 |
|
|
| 106 |
<p> |
<h2>Contacting the team</h2> |
|
While some individual members may have sources of prior information |
|
|
about security advisories (such as vendor-sec), the team as a whole |
|
|
operates only on publically available information. Any Debian |
|
|
developers with an interest in participating are welcome to join |
|
|
the team, and we also welcome others who have the skills and desire |
|
|
to help us. |
|
|
</p> |
|
| 107 |
|
|
| 108 |
<p> |
<p>To contact the team, use</p> |
| 109 |
The team can be contacted through its mailing list, |
<ul> |
| 110 |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>. Please note that this is a public list, and as such, you should not send details of undisclosed vulnerabilities to this address. |
<li> the |
| 111 |
Our irc channel is #debian-security on the OFTC network. |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">team mailing list</a> at |
| 112 |
There is a second mailing list, |
<a href="mailto:secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a> |
| 113 |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a> |
(Please note that this is a public list, and as such, you should not send details of undisclosed |
| 114 |
that receives commit messages to our repository, new team members |
vulnerabilities to this address.)</li> |
| 115 |
are encouraged to join it. |
|
| 116 |
The list |
<li>IRC: Our irc channel is #debian-security on the OFTC network.</li> |
| 117 |
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a> |
</ul> |
| 118 |
receives automatic annoucements of fixed packages uploaded to our |
|
| 119 |
repository. |
<p>For issues related to the Debian security tracker, use the</p> |
| 120 |
An <a href="http://alioth.debian.org/projects/secure-testing/">alioth |
<ul></li><a href="http://lists.debian.org/debian-security-tracker/">security tracker mailing list</a> at |
| 121 |
project page</a> is also available. |
<a href="mailto:debian-security-tracker@lists.debian.org">debian-security-tracker@lists.debian.org</a> |
| 122 |
|
</li> |
| 123 |
|
</ul> |
| 124 |
|
|
| 125 |
|
|
| 126 |
</p> |
</p> |
| 127 |
|
<h2>More information</h2> |
| 128 |
|
|
| 129 |
|
<ul> |
| 130 |
|
<li><a href="uploading.html">Uploading to the testing-security repository</a></li> |
| 131 |
|
|
| 132 |
|
<li><a href="helping.html">Helping the testing security team</a></li> |
| 133 |
|
|
| 134 |
|
<li>There is a <a href="http://svn.debian.org/wsvn/secure-testing">subversion repository</a> |
| 135 |
|
holding the data for the <a href="http://security-tracker.debian.net/">Debian |
| 136 |
|
security tracker</a>. It may be checked out from |
| 137 |
|
<tt>svn://svn.debian.org/secure-testing/</tt>. There is also a |
| 138 |
|
<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">mailing list</a> |
| 139 |
|
commit messages.</li> |
| 140 |
|
|
| 141 |
|
<li><a href="http://alioth.debian.org/projects/secure-testing/">Alioth |
| 142 |
|
project page</a> with a list of team members.</li> |
| 143 |
|
<li><a href="http://www.cve.mitre.org/cve/index.html">Mitre's CVE database</a></li> |
| 144 |
|
</ul> |
| 145 |
|
|
| 146 |
|
<h3>Internal information</h3> |
| 147 |
|
<ul> |
| 148 |
|
<li><a href="http://svn.debian.org/wsvn/secure-testing/doc/narrative_introduction?op=file&rev=0&sc=0">Introduction |
| 149 |
|
to our processes</a></li> |
| 150 |
|
|
| 151 |
|
<li><a href="http://www.sfritsch.de/~stf/secure-testing-buildlogs.html">Buildlog status</a></li> |
| 152 |
|
|
| 153 |
|
<li><a href="http://klecker.debian.org/~jmm/status.html">Queue status on klecker</a></li> |
| 154 |
|
|
| 155 |
|
<li>Information about accepted uploads to testing-security is sent to <a |
| 156 |
|
href="http://lists.debian.org/debian-testing-changes/">debian-testing-changes</a></li> |
| 157 |
|
</ul> |
| 158 |
|
|
| 159 |
|
|
| 160 |
|
|
| 161 |
<hr><p>$Id$</p> |
<hr><p>$Id$</p> |
Parent Directory
| 
Revision Log
| 
Patch