secure-testing/website/index.html

<html>
        <head>
        <title>Debian testing security team</title>
        </head>

        <h1>Goals</h1>
        
        <p>
        The Debian testing security team is a group of debian developers
        and users who are working to improve the state of security in
        Debian's testing branch. Lack of security support for testing has
        long been one of the key problems to using testing, and we aim to
        eventually provide full security support for testing.
        </p>

        <h1>Activities</h1>
        
        <p>
        The team's first activity was to check all security holes since the
        release of Debian 3.0, to ensure that all the holes are fixed in
        sarge and to provide a baseline for future work.
        </p>
        
        <p>
        Now the team is tracking new holes on an ongoing basis, making sure
        maintainers are informed of them and that there are bugs in the
        Debian BTS, writing patches and doing NMUs as necessary, and
        tracking the fixed packages and working with the Debian Release
        Managers to make sure fixes reach testing quickly. Thanks to this
        work we now have
        <a href="http://spohr.debian.org/~joeyh/testing-security.html">a
        web page</a>, that tracks open security holes in testing.
        </p>
        
        <p>
        The team is in the process of beginning full security support for
        testing by providing security advisories and fixes built against
        testing without the usual delays sometimes involved in getting a
        security fix into testing. These will be announced on the
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a>
        mailing list, and will be available in the following apt
        repository:
        <pre>
        deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free
        deb-src http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free
        </pre>
        The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>.
        </p>
        
        <h1>Data sources</h1>

        <p>
        Currently we're limiting ourselves to tracking security holes that
        have been the subject of a Debian Security Advisory, or are in the
        <a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
        It's very helpful to us if bug reports and Debian changelog entries
        include CVE numbers for security holes. If you don't have a CVE
        number, we can help you get one.
        </p>

        <p>
        The team maintains a database (actually some files) that contain
        our notes about all CVEs, CANs, and DSAs. This database is available
        <a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
        and may be checked out from
        <tt>svn://svn.debian.org/secure-testing/</tt>.
        </p>

        <h1>Uploads to the secure-testing repository</h1>

        <p>
        To upload a package to the secure-testing repository, any Debian
        developer may follow this checklist:
        <ol>
                <li>Only upload changes that have already been made in
                unstable and are blocked by reaching testing by some other
                issues. This is both to keep things in sync once the
                new version from unstable reaches testing, and to avoid
                breaking secure-testing too badly with fixes that have not
                been tested first in unstable.</li>
                <li>Only make uploads for issues that the testing security
                team plans to issue a DTSA announcement for. It is best to
                contact the team first to avoid duplicate work.</li>
                <li>Use a version number that is less than the version
                number of the fix in unstable, but greater than the version
                number of the fix in testing. For example, if the fix is in
                a new upstream version 1.0-1 in unstable, upload version
                1.0-0.1etch1 to secure-testing. If the fix is in version
                1.5-10 in unstable, use version 1.5-9etch1 in
                secure-testing.</li>
                <li>Use "testing" as the distribution in the
                changelog.</li>
                <li>Build the package in a testing chroot using pbuilder
                so that all the dependencies are ok. Be sure to build with
                the -sa switch to include source, unless the source is
                already in the secure-testing archive.
                </li>
                <li>Test the package.</li>
                <li>Sign the package. Any Debian developer in the keyring
                can do so.</li>
                <li>Upload to <tt>secure-testing-master.debian.net</tt>.
                Here is a dput.cf snippet for that upload queue:
                <pre>
                [secure-testing]
                fqdn = secure-testing-master.debian.net
                method = ftp
                incoming = /pub/UploadQueue/
                login = anonymous
                </pre>
                </li>
                <li>Once your fix is accepted, a mail will be sent to
                the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a>
                list and, it will become available in this apt repository,
                including builds for all other architectures:
                <pre>
                deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
                deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
                </pre>
                Build logs can be found
                <a href="http://experimental.debian.net/">here</a>.
                Once everything is ready, contact a team member to issue a
                DSTA.
                </li>
        </ol>

        <p>
        To issue a DTSA, team members follow this checklist:
        <ol>
                <li>Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number
                <li>Prepare the update and fill out the .adv template
                <li>Make sure everything is ready.
                <li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li>
                <li>svn add DTSA-n-1; svn commit</li>
                <li>Edit data/DTSA/hints/yourname, and add a hint to make dtsasync
                propigate the update from etch-proposed-updates to etch.
                Commit the file and wait 15 minutes for the dtsasync run,
                then check the <a href="logs/dtsasync">log file</a> and/or
                upgrade a test machine.</li>
                <li>cd data/DTSA; ./sndadvisory DTSA-n-1</li>
        </ol>
        </p>

        <p>
        Note that the above instructions are provisional until we get
        everything set up.
        </p>

        <h1>Members and contacting the team</h1>
        
        <p>
        While some individual members may have sources of prior information
        about security advisories (such as vendor-sec), the team as a whole
        operates only on publically available information. Any Debian
        developers with an interest in participating are welcome to join
        the team, and we also welcome others who have the skills and desire
        to help us.
        </p>

        <p>
        The team can be contacted through its mailing list,
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>.
        Our irc channel is #debian-security on irc.debian.org.
        There is a second mailing list,
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
        that receives commit messages to our repository, new team members
        are encouraged to join it.
        The list 
        <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a>
        receives automatic annoucements of fixed packages uploaded to our
        repository.
        An <a href="http://alioth.debian.org/projects/secure-testing/">alioth
        project page</a> is also available.
        </p>

        <hr>

        $Id$
        
</html>
1	<html>
2	<head>
3	<title>Debian testing security team</title>
4	</head>
5
6	<h1>Goals</h1>
7
8	<p>
9	The Debian testing security team is a group of debian developers
10	and users who are working to improve the state of security in
11	Debian's testing branch. Lack of security support for testing has
12	long been one of the key problems to using testing, and we aim to
13	eventually provide full security support for testing.
14	</p>
15
16	<h1>Activities</h1>
17
18	<p>
19	The team's first activity was to check all security holes since the
20	release of Debian 3.0, to ensure that all the holes are fixed in
21	sarge and to provide a baseline for future work.
22	</p>
23
24	<p>
25	Now the team is tracking new holes on an ongoing basis, making sure
26	maintainers are informed of them and that there are bugs in the
27	Debian BTS, writing patches and doing NMUs as necessary, and
28	tracking the fixed packages and working with the Debian Release
29	Managers to make sure fixes reach testing quickly. Thanks to this
30	work we now have
31	<a href="http://spohr.debian.org/~joeyh/testing-security.html">a
32	web page</a>, that tracks open security holes in testing.
33	</p>
34
35	<p>
36	The team is in the process of beginning full security support for
37	testing by providing security advisories and fixes built against
38	testing without the usual delays sometimes involved in getting a
39	security fix into testing. These will be announced on the
40	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce@lists.alioth.debian.org</a>
41	mailing list, and will be available in the following apt
42	repository:
43	<pre>
44	deb http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free
45	deb-src http://secure-testing.debian.net/debian-security-updates etch/security-updates main contrib non-free
46	</pre>
47	The archive signing key used for this repository is <a href="ziyi-2005-7.asc">here</a>.
48	</p>
49
50	<h1>Data sources</h1>
51
52	<p>
53	Currently we're limiting ourselves to tracking security holes that
54	have been the subject of a Debian Security Advisory, or are in the
55	<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
56	It's very helpful to us if bug reports and Debian changelog entries
57	include CVE numbers for security holes. If you don't have a CVE
58	number, we can help you get one.
59	</p>
60
61	<p>
62	The team maintains a database (actually some files) that contain
63	our notes about all CVEs, CANs, and DSAs. This database is available
64	<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
65	and may be checked out from
66	<tt>svn://svn.debian.org/secure-testing/</tt>.
67	</p>
68
69	<h1>Uploads to the secure-testing repository</h1>
70
71	<p>
72	To upload a package to the secure-testing repository, any Debian
73	developer may follow this checklist:
74	<ol>
75	<li>Only upload changes that have already been made in
76	unstable and are blocked by reaching testing by some other
77	issues. This is both to keep things in sync once the
78	new version from unstable reaches testing, and to avoid
79	breaking secure-testing too badly with fixes that have not
80	been tested first in unstable.</li>
81	<li>Only make uploads for issues that the testing security
82	team plans to issue a DTSA announcement for. It is best to
83	contact the team first to avoid duplicate work.</li>
84	<li>Use a version number that is less than the version
85	number of the fix in unstable, but greater than the version
86	number of the fix in testing. For example, if the fix is in
87	a new upstream version 1.0-1 in unstable, upload version
88	1.0-0.1etch1 to secure-testing. If the fix is in version
89	1.5-10 in unstable, use version 1.5-9etch1 in
90	secure-testing.</li>
91	<li>Use "testing" as the distribution in the
92	changelog.</li>
93	<li>Build the package in a testing chroot using pbuilder
94	so that all the dependencies are ok. Be sure to build with
95	the -sa switch to include source, unless the source is
96	already in the secure-testing archive.
97	</li>
98	<li>Test the package.</li>
99	<li>Sign the package. Any Debian developer in the keyring
100	can do so.</li>
101	<li>Upload to <tt>secure-testing-master.debian.net</tt>.
102	Here is a dput.cf snippet for that upload queue:
103	<pre>
104	[secure-testing]
105	fqdn = secure-testing-master.debian.net
106	method = ftp
107	incoming = /pub/UploadQueue/
108	login = anonymous
109	</pre>
110	</li>
111	<li>Once your fix is accepted, a mail will be sent to
112	the <a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a>
113	list and, it will become available in this apt repository,
114	including builds for all other architectures:
115	<pre>
116	deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
117	deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
118	</pre>
119	Build logs can be found
120	<a href="http://experimental.debian.net/">here</a>.
121	Once everything is ready, contact a team member to issue a
122	DSTA.
123	</li>
124	</ol>
125
126	<p>
127	To issue a DTSA, team members follow this checklist:
128	<ol>
129	<li>Commit an initial .adv template into SVN to prevent duplicate work and claim an advisory number
130	<li>Prepare the update and fill out the .adv template
131	<li>Make sure everything is ready.
132	<li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li>
133	<li>svn add DTSA-n-1; svn commit</li>
134	<li>Edit data/DTSA/hints/yourname, and add a hint to make dtsasync
135	propigate the update from etch-proposed-updates to etch.
136	Commit the file and wait 15 minutes for the dtsasync run,
137	then check the <a href="logs/dtsasync">log file</a> and/or
138	upgrade a test machine.</li>
139	<li>cd data/DTSA; ./sndadvisory DTSA-n-1</li>
140	</ol>
141	</p>
142
143	<p>
144	Note that the above instructions are provisional until we get
145	everything set up.
146	</p>
147
148	<h1>Members and contacting the team</h1>
149
150	<p>
151	While some individual members may have sources of prior information
152	about security advisories (such as vendor-sec), the team as a whole
153	operates only on publically available information. Any Debian
154	developers with an interest in participating are welcome to join
155	the team, and we also welcome others who have the skills and desire
156	to help us.
157	</p>
158
159	<p>
160	The team can be contacted through its mailing list,
161	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team@lists.alioth.debian.org</a>.
162	Our irc channel is #debian-security on irc.debian.org.
163	There is a second mailing list,
164	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits@lists.alioth.debian.org</a>
165	that receives commit messages to our repository, new team members
166	are encouraged to join it.
167	The list
168	<a href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes@lists.alioth.debian.org</a>
169	receives automatic annoucements of fixed packages uploaded to our
170	repository.
171	An <a href="http://alioth.debian.org/projects/secure-testing/">alioth
172	project page</a> is also available.
173	</p>
174
175	<hr>
176
177	$Id$
178
179	</html>