|Debian testing security team|
The Debian testing security team is a group of debian developers and users who are working to improve the state of security in Debian's testing branch. Lack of security support for testing has long been one of the key problems to using testing, and we aim to eventually provide full security support for testing.
The team's first activity was to check all security holes since the release of Debian 3.0, to ensure that all the holes are fixed in sarge and to provide a baseline for future work.
Now the team is tracking new holes on an ongoing basis, making sure maintainers are informed of them and that there are bugs in the Debian BTS, writing patches and doing NMUs as necessary, and tracking the fixed packages and working with the Debian Release Managers to make sure fixes reach testing quickly. Thanks to this work we now have a web page, that tracks open security holes in testing and other branches of Debian.
The team is in the process of beginning full security support for testing by providing security advisories and fixes built against testing without the usual delays sometimes involved in getting a security fix into testing. These will be announced on the firstname.lastname@example.org mailing list, and will be available in the following apt repository:
deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-freeThese are also available from this list.
Currently we're limiting ourselves to tracking security holes that have been the subject of a Debian Security Advisory, or are in the CVE database. It's very helpful to us if bug reports and Debian changelog entries include CVE numbers for security holes. If you don't have a CVE number, we can help you get one.
The team maintains a database (actually some files) that contain our notes about all CVEs and DSAs. This database is available from subversion, and may be checked out from svn://svn.debian.org/secure-testing/.
To upload a package to the secure-testing repository, any Debian developer may follow this checklist:
[secured-testing] fqdn = security-master.debian.org method = ftp incoming = /pub/OpenSecurityUploadQueue/ login = anonymous
deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-freeBuild logs are mailed to the team, and must be signed. Once everything is ok, a team member will issue a DTSA.
To issue a DTSA, team members follow this checklist (note: this may change once newamber is fixed to use our templates):
Note that the above instructions are provisional until we get everything set up.
While some individual members may have sources of prior information about security advisories (such as vendor-sec), the team as a whole operates only on publically available information. Any Debian developers with an interest in participating are welcome to join the team, and we also welcome others who have the skills and desire to help us.
The team can be contacted through its mailing list, email@example.com. Please note that this is a public list, and as such, you should not send details of undisclosed vulnerabilities to this address. Our irc channel is #debian-security on the OFTC network. There is a second mailing list, firstname.lastname@example.org that receives commit messages to our repository, new team members are encouraged to join it. The list email@example.com receives automatic annoucements of fixed packages uploaded to our repository. An alioth project page is also available.