| 1 |
<html>
|
| 2 |
<head>
|
| 3 |
<title>Debian testing security team</title>
|
| 4 |
</head>
|
| 5 |
|
| 6 |
<h1>Goals</h1>
|
| 7 |
|
| 8 |
<p>
|
| 9 |
The Debian testing security team is a group of debian developers
|
| 10 |
and users who are working to improve the state of security in
|
| 11 |
Debian's testing branch. Lack of security support for testing has
|
| 12 |
long been one of the key problems to using testing, and we aim to
|
| 13 |
eventually provide full security support for testing.
|
| 14 |
</p>
|
| 15 |
|
| 16 |
<h1>Activities</h1>
|
| 17 |
|
| 18 |
<p>
|
| 19 |
The team's first activity was to check all security holes since the
|
| 20 |
release of Debian 3.0, to ensure that all the holes are fixed in
|
| 21 |
sarge and to provide a baseline for future work.
|
| 22 |
</p>
|
| 23 |
|
| 24 |
<p>
|
| 25 |
Now the team is tracking new holes on an ongoing basis, making sure
|
| 26 |
maintainers are informed of them and that there are bugs in the
|
| 27 |
Debian BTS, writing patches and doing NMUs as necessary, and
|
| 28 |
tracking the fixed packages and working with the Debian Release
|
| 29 |
Managers to make sure fixes reach testing quickly. Thanks to this
|
| 30 |
work we now have
|
| 31 |
<a href="http://merkel.debian.org/~joeyh/testing-security.html">a
|
| 32 |
web page</a>, that tracks open security holes in testing. (An
|
| 33 |
<a href="http://newraff.debian.org/~joeyh/testing-security.html">alternate
|
| 34 |
page</a> tracks archive changes more quickly, but may be
|
| 35 |
innaccurate due to bugs in madison on newraff.)
|
| 36 |
</p>
|
| 37 |
|
| 38 |
<h1>Future plans</h1>
|
| 39 |
|
| 40 |
<p>
|
| 41 |
After sarge is released and once the autobuilder infrastructure is
|
| 42 |
in place, we hope to begin issuing security advisories for holes in
|
| 43 |
testing, and providing fixed packages immediatly on
|
| 44 |
security.debian.org or a similar site, without the regular delay
|
| 45 |
involved in getting a fixed package into testing.
|
| 46 |
</p>
|
| 47 |
|
| 48 |
<h1>Data sources</h1>
|
| 49 |
|
| 50 |
<p>
|
| 51 |
Currently we're limiting ourselves to tracking security holes that
|
| 52 |
have been the subject of a Debian Security Advisory, or are in the
|
| 53 |
<a href="http://www.cve.mitre.org/cve/index.html">CVE</a> database.
|
| 54 |
It's very helpful to us if bug reports and Debian changelog entries
|
| 55 |
include CVE numbers for security holes. If you don't have a CVE
|
| 56 |
number, we can help you get one.
|
| 57 |
</p>
|
| 58 |
|
| 59 |
<p>
|
| 60 |
The team maintains a database (actually some files) that contain
|
| 61 |
our notes about all CVEs, CANs, and DSAs. This dataase is available
|
| 62 |
<a href="http://svn.debian.org/wsvn/secure-testing">from subversion</a>,
|
| 63 |
and may be checked out from
|
| 64 |
<tt>svn://svn.debian.org/secure-testing/</tt>.
|
| 65 |
</p>
|
| 66 |
|
| 67 |
<h1>Members and contacting the team</h1>
|
| 68 |
|
| 69 |
<p>
|
| 70 |
While some individual members may have sources of prior information
|
| 71 |
about security advisories (such as vendor-sec), the team as a whole
|
| 72 |
operates only on publically available information. Any Debian
|
| 73 |
developers with an interest in participating are welcome to join
|
| 74 |
the team, and we also welcome others who have the skills and desire
|
| 75 |
to help us.
|
| 76 |
</p>
|
| 77 |
|
| 78 |
<p>
|
| 79 |
The team can be contacted through its mailing list,
|
| 80 |
<a href="secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a>.
|
| 81 |
There is a second mailing list,
|
| 82 |
<a href="secure-testing-commits@lists.alioth.debian.org">secure-testing-commits@lists.alioth.debian.org</a>
|
| 83 |
that receives commit messages to our repository. An
|
| 84 |
<a href="http://alioth.debian.org/projects/secure-testing/">alioth
|
| 85 |
project page</a> is also available.
|
| 86 |
</p>
|
| 87 |
|
| 88 |
<hr>
|
| 89 |
|
| 90 |
$Id$
|
| 91 |
|
| 92 |
</html>
|
Parent Directory
| 
Revision Log