stef-guest at alioth.debian.org
2007-Oct-05 21:35 UTC
[Secure-testing-commits] r6809 - website
Author: stef-guest
Date: 2007-10-05 21:35:05 +0000 (Fri, 05 Oct 2007)
New Revision: 6809
Added:
website/uploading.html
Modified:
website/index.html
Log:
start to update the website
Modified: website/index.html
==================================================================---
website/index.html 2007-10-05 21:14:08 UTC (rev 6808)
+++ website/index.html 2007-10-05 21:35:05 UTC (rev 6809)
@@ -39,174 +39,113 @@
<p>
The Debian testing security team is a group of Debian developers
- and users who are working to improve the state of security in
- Debian''s testing branch. Lack of security support for testing has
- long been one of the key problems to using testing, and we aim to
- eventually provide full security support for testing.
+ and users who are working to keep Debian''s testing branch in good
+ shape with respect to security. Since packages migrate to testing
+ from Debian''s unstable branch, a secondary goal of the team is to
+ improve the state of security in unstable.
</p>
+
- <h2>Activities</h2>
+ <h2><a
href="http://security-tracker.debian.net/">Security
Tracker</a></h2>
<p>
- The team''s first activity was to check all security holes since the
- release of Debian 3.0, to ensure that all the holes are fixed in
- sarge and to provide a baseline for future work.
+ The team is tracking new security holes on an ongoing basis, making sure
+ maintainers are informed of them and filing bug reports in the
+ Debian BTS. The result of this work is availably in the
+ <a href="http://security-tracker.debian.net/">Security Tracker
web page</a>.
+ This tracker contains information about all branches of Debian and is also
+ used by the stable security team.
</p>
- <p>
- Now the team is tracking new holes on an ongoing basis, making sure
- maintainers are informed of them and that there are bugs in the
- Debian BTS, writing patches and doing NMUs as necessary, and
- tracking the fixed packages and working with the Debian Release
- Managers to make sure fixes reach testing quickly. Thanks to this
- work we now have
- <a href="http://security-tracker.debian.net/">a
- web page</a>, that tracks open security holes in testing and other
- branches of Debian.
- </p>
+ <h2>Security support for testing</h2>
- <p>
- The team is in the process of beginning full security support for
- testing by providing security advisories and fixes built against
- testing without the usual delays sometimes involved in getting a
- security fix into testing. These will be announced on the
- <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce
at lists.alioth.debian.org</a>
- mailing list, and will be available in the following apt
- repository:
- <pre>
- deb http://security.debian.org lenny/updates main contrib non-free
- deb-src http://security.debian.org lenny/updates main contrib non-free
- </pre>
- These are also available from this <a
href=''list.html''>list</a>.<br>
+ <p>The team is providing security support for Debian''s testing
branch by</p>
- <h2>Data sources</h2>
+ <ul>
+ <li>writing patches and doing NMUs to unstable as necessary</li>
- <p>
- Currently we''re limiting ourselves to tracking security holes that
- have been the subject of a Debian Security Advisory, or are in the
- <a
href="http://www.cve.mitre.org/cve/index.html">CVE</a>
database.
- It''s very helpful to us if bug reports and Debian changelog entries
- include CVE numbers for security holes. If you don''t have a CVE
- number, we can help you get one.
- </p>
+ <li>tracking the fixed packages and working with the Debian Release
+ Managers to make sure fixes reach testing quickly</li>
- <p>
- The team maintains a database (actually some files) that contain
- our notes about all CVEs and DTSAs. This database is available
- <a href="http://svn.debian.org/wsvn/secure-testing">from
subversion</a>,
- and may be checked out from
- <tt>svn://svn.debian.org/secure-testing/</tt>.
- </p>
-
- <h2>Uploads to the secure-testing repository</h2>
-
- <p>
- To upload a package to the secure-testing repository, any Debian
- developer may follow this checklist:
- <ol>
- <li>Only upload changes that have already been made in
- unstable and are blocked by reaching testing by some other
- issues. This is both to keep things in sync once the
- new version from unstable reaches testing, and to avoid
- breaking secure-testing too badly with fixes that have not
- been tested first in unstable.</li>
- <li>If the orig.tar.gz is already on security.debian.org
- (either in stable-security or in testing-security)
- don''t include it in the upload.</li>
- <li>Only make uploads for issues that the testing security
- team plans to issue a DTSA announcement for.
- Contact the team first to avoid duplicate work.</li>
- <li>Use a version number that is less than the version
- number of the fix in unstable, but greater than the version
- number of the fix in testing. For example, if the fix is in
- a new upstream version 1.0-1 in unstable, upload version
- 1.0-0.1lenny2 to secure-testing. If the fix is in version
- 1.5-10 in unstable, use version 1.5-9lenny2 in
- secure-testing.</li>
- <li>Use "testing-security" as the distribution in the
- changelog.</li>
- <li>Build the package in a testing chroot using pbuilder
- so that all the dependencies are ok. Be sure to build with
- the -sa switch to include source, unless the source is
- already in the secure-testing archive.
- </li>
- <li>Test the package.</li>
- <li>Sign the package. Any Debian developer in the keyring
- can do so.</li>
- <li>Upload to <tt>security-master.debian.org</tt>.
- Here is a dput.cf snippet for that upload queue:
+ <li>if this process is too slow, providing fixed packages built against
testing
+ in the <em>testing-security apt repository</em>:
<pre>
- [secured-testing]
- fqdn = security-master.debian.org
- method = ftp
- incoming = /pub/OpenSecurityUploadQueue/
- login = anonymous
+ deb http://security.debian.org lenny/updates main contrib non-free
+ deb-src http://security.debian.org lenny/updates main contrib non-free
</pre>
- </li>
- <li>Once your fix is accepted, a mail will be sent to
- the <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes</a>
- list and, it will become available in this apt repository,
- including builds for all other architectures:
- <pre>
- deb http://security.debian.org/ testing/updates main contrib non-free
- deb-src http://security.debian.org/ testing/updates main contrib non-free
- </pre>
- Build logs are mailed to the team, and must be signed. Once everything is ok,
a team member will issue a DTSA.
- </li>
- </ol>
+ However, the majority of security fixes reaches testing by migrating from
+ unstable. </li>
+ </ul>
+
+ <p>Note that in order to take advantage of the security support for
testing,
+ you must <em>update your system on a regular basis</em>.</p>
+
+ <h3>Limitations</h3>
- <p>
- To issue a DTSA, team members follow this checklist (note: this may change
once newamber is fixed to use our templates):
- <ol>
- <li>Commit an initial .adv template into SVN to prevent duplicate
work and claim an advisory number
- <li>Prepare the update and fill out the .adv template
- <li>Make sure everything is ready.
- <li>cd data/DTSA; ./dtsa -p ADVISORYNUMBER</li>
- <li>check DTSA-n-1 and DTSA-n-1.html. Remove TODO line for
- advisory from the list file</li>
- <li>mv DTSA-n-1.html ../../website/DTSA/</li>
- <li>cd ../../website; ../bin/updatehtmllist --output list.html
../data/DTSA/list</li>
- <li>cd ../; svn add website/DTSA/DTSA-n-1.html; svn commit</li>
- <li>cd data/DTSA; ./sndadvisory DTSA-n-1</li>
- <li>Edit CVE/list and DTSA/list to list the version of the
- package that is in the secure-testing archive as fixing the
- holes. This is unfortunately currently necessary for the fix to
- appear as a fix on the tracking page.</li>
- </ol>
+ <p>For several reasons, the security support for testing cannot be
expected to
+ be of the same quality as for Debian''s stable branch:</p>
+
+ <ul>
+ <li>Updates for testing-security usually receive less testing than
updates
+ for stable-security.</li>
- <p>
- Note that the above instructions are provisional until we get
- everything set up.
- </p>
+ <li>Updates for embargoed issues take longer because the testing
security
+ team does not have access to embargoed information.</li>
+
+ <li>Testing is changing all the time which increases the likelyhood of
problems
+ with the build infrastructure. Such problems can delay security updates in
+ testing.</li>
+ </ul>
- <h2>Members and contacting the team</h2>
+ <h3>Announcements</h3>
+
+ <p> Daily notifications about fixed security issues are sent to the
+ <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce">secure-testing-announce
at lists.alioth.debian.org</a>
+ mailing list.</p>
- <p>
- While some individual members may have sources of prior information
- about security advisories (such as vendor-sec), the team as a whole
- operates only on publicly available information. Any Debian
- developers with an interest in participating are welcome to join
- the team, and we also welcome others who have the skills and desire
- to help us.
- </p>
+ <h2>Contacting the team</h2>
- <p>
- The team can be contacted through its mailing list,
- <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">secure-testing-team
at lists.alioth.debian.org</a>. Please note that this is a public list,
and as such, you should not send details of undisclosed vulnerabilities to this
address.
- Our irc channel is #debian-security on the OFTC network.
- There is a second mailing list,
- <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">secure-testing-commits
at lists.alioth.debian.org</a>
- that receives commit messages to our repository, new team members
- are encouraged to join it.
- The list
- <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-changes">secure-testing-changes
at lists.alioth.debian.org</a>
- receives automatic annoucements of fixed packages uploaded to our
- repository.
- An <a
href="http://alioth.debian.org/projects/secure-testing/">alioth
- project page</a> is also available.
+ <p>To contact the team, use</p>
+ <ul>
+ <li> the
+ <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team">team
mailing list</a> at
+ <a href="mailto:secure-testing-team at
lists.alioth.debian.org">secure-testing-team at
lists.alioth.debian.org</a>
+ (Please note that this is a public list, and as such, you should not send
details of undisclosed
+ vulnerabilities to this address.)</li>
+
+ <li>IRC: Our irc channel is #debian-security on the OFTC
network.</li>
+ </ul>
+
+ <p>For issues related to the Debian security tracker, use the</p>
+ <ul></li><a
href="http://lists.debian.org/debian-security-tracker/">security
tracker mailing list</a> at
+ <a href="mailto:debian-security-tracker at
lists.debian.org">debian-security-tracker at lists.debian.org</a>
+ </li>
+ </ul>
+
+
</p>
+ <h2>More information</h2>
+ <ul>
+ <li><a href="uploading.html">Uploading to the
testing-security repository</a></li>
+ <li><a href="help.html">Helping the testing security
team</a></li>
+
+ <li>There is a <a
href="http://svn.debian.org/wsvn/secure-testing">subversion
repository</a>
+ holding the data for the <a
href="http://security-tracker.debian.net/">Debian
+ security tracker</a>. It may be checked out from
+ <tt>svn://svn.debian.org/secure-testing/</tt>. There is also a
+ <a
href="http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits">mailing
list</a>
+ commit messages.</li>
+
+ <li><a
href="http://alioth.debian.org/projects/secure-testing/">Alioth
+ project page</a> with a list of team members.</li>
+ <li><a
href="http://www.cve.mitre.org/cve/index.html">Mitre''s CVE
database</a></li>
+ </ul>
+
+
+
+
<hr><p>$Id$</p>
<a href="http://validator.w3.org/check?uri=referer">
<img border="0"
src="http://www.w3.org/Icons/valid-html401" alt="Valid HTML
4.01!" height="31" width="88"></a>
Added: website/uploading.html
==================================================================---
website/uploading.html (rev 0)
+++ website/uploading.html 2007-10-05 21:35:05 UTC (rev 6809)
@@ -0,0 +1,94 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+ <html><head><meta http-equiv="Content-Type"
content="text/html; charset=iso8859-1">
+ <title>Uploading to testing-security</title>
+ <link type="text/css" rel="stylesheet"
href="style.css">
+ <link rel="shortcut icon"
href="http://www.debian.org/favicon.ico">
+ </head>
+ <body>
+ <div align="center">
+ <a href="http://www.debian.org/">
+
+ <img src="http://www.debian.org/logos/openlogo-nd-50.png"
border="0" hspace="0" vspace="0"
alt=""></a>
+ <a href="http://www.debian.org/">
+ <img src="http://www.debian.org/Pics/debian.png"
border="0" hspace="0" vspace="0" alt="Debian
Project"></a>
+ </div>
+ <br />
+ <table class="reddy" width="100%">
+ <tr>
+ <td class="reddy">
+ <img src="http://www.debian.org/Pics/red-upperleft.png"
align="left" border="0" hspace="0"
vspace="0"
+ alt="" width="15" height="16"></td>
+
+ <td rowspan="2" class="reddy">Debian testing
security team</td>
+ <td class="reddy">
+ <img src="http://www.debian.org/Pics/red-upperright.png"
align="right" border="0" hspace="0"
vspace="0"
+ alt="" width="16" height="16"></td>
+ </tr>
+ <tr>
+ <td class="reddy">
+ <img src="http://www.debian.org/Pics/red-lowerleft.png"
align="left" border="0" hspace="0"
vspace="0"
+ alt="" width="16" height="16"></td>
+ <td class="reddy">
+
+ <img src="http://www.debian.org/Pics/red-lowerright.png"
align="right" border="0" hspace="0"
vspace="0"
+ alt="" width="15" height="16"></td>
+ </tr>
+ </table>
+
+ <p>
+ To upload a package to the secure-testing repository, any Debian
+ developer may follow this checklist:
+ <ol>
+ <li>Only upload changes that have already been made in
+ unstable and are blocked by reaching testing by some other
+ issues. This is both to keep things in sync once the
+ new version from unstable reaches testing, and to avoid
+ breaking secure-testing too badly with fixes that have not
+ been tested first in unstable.</li>
+ <li>If the orig.tar.gz is already on security.debian.org
+ (either in stable-security or in testing-security)
+ don''t include it in the upload. If in doubt, ask the
team.</li>
+ <li>Contact the team first to avoid duplicate work.</li>
+ <li>Use a version number that is less than the version
+ number of the fix in unstable, but greater than the version
+ number of the fix in testing (including a possible +b1 for binNMUs).
+ For example, if the fix is in a new upstream version 1.0-1 in unstable,
+ upload version 1.0-1~lenny1 to testing-security. If the current version
+ in testing is 1.2-3 and the fix is backported to this version, upload
+ version 1.2-3+lenny1 to testing-security.</li>
+ <li>Use "testing-security" as the distribution in the
+ changelog.</li>
+ <li>Build the package in a testing chroot using pbuilder
+ so that all the dependencies are ok. Be sure to build with
+ the -sa switch to include source, unless the source is
+ already in the testing-security archive.
+ </li>
+ <li>Test the package. Diff the package against the version
+ in testing (if backporting fixes). Use debdiff on both
+ source and binary packages.</li>
+ <li>Sign the package. Any Debian developer in the keyring
+ can do so.</li>
+ <li>Upload to <tt>security-master.debian.org</tt>.
+ Here is a dput.cf snippet for that upload queue:
+ <pre>
+ [testing-security]
+ fqdn = security-master.debian.org
+ method = ftp
+ incoming = /pub/OpenSecurityUploadQueue/
+ login = anonymous
+ </pre>
+ Note that this is <em>not</em> the same queue as usually used for
stable security.
+ </li>
+ </ol>
+
+
+
+<hr><p>$Id: index.html 6493 2007-09-04 11:06:04Z nion $</p>
+<a href="http://validator.w3.org/check?uri=referer">
+ <img border="0"
src="http://www.w3.org/Icons/valid-html401" alt="Valid HTML
4.01!" height="31" width="88"></a>
+ <a href="http://jigsaw.w3.org/css-validator/check/referer">
+ <img border="0"
src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid
CSS!"
+ height="31" width="88"></a>
+
+
+</body></html>