Author: white Date: 2008-06-03 10:24:56 +0000 (Tue, 03 Jun 2008) New Revision: 8962 Added: doc/bits_2008_06_x Log: Start new Bits from announcement email Added: doc/bits_2008_06_x ==================================================================--- doc/bits_2008_06_x (rev 0) +++ doc/bits_2008_06_x 2008-06-03 10:24:56 UTC (rev 8962) @@ -0,0 +1,125 @@ +Hi fellow developers, + +it''s been some time since our last email. +Much happened in regard to security support of Debian''s testing distribution. + + +Level of security support for the testing distribution: +------------------------------------------------------- + +The Debian Testing Security team provides almost provides full security +support for the testing distribution. At the time of the last email, two +blockers for full security support were present. We are happy to announce +that only one remains. The Debian Testing Security Team is now able to +process embargoed issues (read more about that below). +Therefore, the only remaining blocker for full security support is the kernel. +We are talking to the kernel security team about providing testing-security +support, but at the moment this task lacks manpower. If you are willing to +work on this, please feel free to contact us. Otherwise, we recommend to use +the stable kernel or if that is not an option, the unstable kernel in regard +to security. + + +Security status of the current testing distribution (lenny): +------------------------------------------------------------ + +With some pride we can say that testing was never in such good shape before +in regards to security. The tracker is reflecting known security issues in +the testing distribution(0). The new announcement emails provide a notification +for users, whenever a new security fix reaches testing, whether through +migration from unstable or DTSA for testing-security. Also fewer packages are +getting removed from testing, because of security issues. + +In order to reach a wider audience with security updates for testing, a new mailinglist +was created, called debian-testing-security-announce at lists.debian.org +We highly recommend that every user, who runs Debian testing and is concerned +about security subscribed to the debian-testing-security announcement list(1). + + +Security status of the next testing distribution (lenny+1): +----------------------------------------------------------- + +After the release of lenny, we expect to continue with the normal +testing-security support without interruptions. However, this depends +on our buildds and the ability to release DTSAs. We hope that the +proper buildd network for the next testing distribution is in place +shortly after lenny becomes stable. The announcement emails will +continue as usual. + + +Embargoed issues and access to wider security information: +--------------------------------------------------------- + +Coming soon ... :) + + +Freeze of lenny coming up: +-------------------------- + +With the lenny release approaching, the Debian release team will at some stage +freeze the testing archive. This means it is even more important to stay in +close contact with the Debian Testing Security Team to coordinate security +updates for the testing distribution. If one of your packages is affected by +an unembargoed security issue, please contact us through the public list of +the team(2) and fix the issue in unstable with high urgency. Please send as +many information as possible, including patches, ways to reproduce the issue +and further descriptions. If we ask you to prepare a DTSA, please follow the +instructions on the testing-security webpage(3) and go ahead with the upload. +If your package is affected by an embargoed issue, email the private list(4) +and if we should ask you to upload a DTSA, use the embargoed upload queue +(which is the same than for stable/oldstable). + + +Handling of security issues in the unstable distribution: +--------------------------------------------------------- + +First of all, unstable does not have official security support. The illusion that +the Debian Testing Security Team also officially supports unstable is not true. +Security issues in unstable, especially when the package is not in testing, are +not regarded as high urgency and only dealt with, when there is enough spare time. +However, it is true that we let most of our security updates migrate through +unstable. For this purpose, we urge every maintainer to upload their security +fixes with high urgency and mention the CVE ids (if given) in their changelogs. +Because we let fixes migrate, it often happens that we NMU packages. An up to date +list of NMUs done by the security team can be found in the svn(5). These NMUs +are done as the need arises and do not allways follow the given NMU rules, because +security updates are treated with higher urgency. If you happen to get a bug +reported against one of your packages, please speak up, but if a working patch is +already reported and not disputed, consider uploading soon. + + +Call for new members: +--------------------- + +The team is still looking for new members. If you are interested in joining the +Debian Testing Security Team, please speak up and either write to the public +mailing list(6) or approach us under on the internal mailing list(6). Note that +you do not have to be a DD for all tasks. Your work would include to keep the +security tracker(8) up to date, report bugs about new unembargoed issues to the +BTS, give advice to maintainers and track the bugs, write and/or review patches, +propose NMUs and take care of DTSAs. If you are interested, but unsure that you +can cope with all this, we offer some level of mentoring for new members, where +we work together on some issues as some sort of introduction. You should also +be on IRC as most of our coordination happens there. + + +Yours, +Testing Security Team + +(0): http://security-tracker.debian.net/tracker/status/release/testing + +(1): http://lists.debian.org/debian-testing-security-announce + +(2): secure-testing-team at lists.alioth.debian.org + +(3): http://testing-security.debian.net/uploading.html + +(4): team at security.debian.org + +(5): http://svn.debian.org/wsvn/secure-testing/data/NMU/list?op=file&rev=0&sc=0 + +(6): secure-testing-team at lists.alioth.debian.org + +(7): team at testing-security.debian.net + +(8): http://security-tracker.debian.net/tracker/