Author: white Date: 2007-10-06 02:44:46 +0000 (Sat, 06 Oct 2007) New Revision: 6811 Added: doc/bits_2007_10_x Log: First draft of the bits email Added: doc/bits_2007_10_x ==================================================================--- doc/bits_2007_10_x (rev 0) +++ doc/bits_2007_10_x 2007-10-06 02:44:46 UTC (rev 6811) @@ -0,0 +1,92 @@ +Hi fellow developers + +We finally got around to issue this email and inform you about the +current state of the Testing Security Team and its work. +If you at any stage have questions about the Testing Security Team, +please feel free to come to #debian-security on OFTC or ask one of the +individual members of the team. A full member list can be found on +http://www.debian.org/intro/organization. + + + +New announcement mails +---------------------- + +Because of the fact that most of the security fixes migrate from unstable +to testing, we felt the need of changing our security announcements. +Therefore, we set up daily announcements going to the announcement +mailinglist[0], which include all new security fixes for the testing +distribution. Most commonly the email shows the migrated packages. +If there has been a DTSA issued for a package, this will show up as +well. In some rare cases, the Testing Security Team asks the release +managers to remove a package from unstable, because a security fix in +a reasonable amount of time seems to be unlikely and the package should +not be offered in our opinion. In this case, the email will inform +about such a case as well. + + + +Efforts to fix security issues in unstable +------------------------------------------ + +The Testing Security Team works mainly on the issued CVE numbers. If +you encounter a security problem in one of your packages, which does +not have a CVE number yet, please contact the Testing Security Team. +It is important to have such a CVE id, because they allow us to track +the security problem in all debian branches (including Debian stable). +When you upload a security fix to unstable, please also include the +CVE id in your changelog and set the priority to high. The tracker used +by both, Testing and Stable Security Team, can be found on this +webpage[1]. +The main task of the Testing Security team is to review the CVE ids, +informing the Debian maintainers by filling bugs to the BTS, if not +already done and tracking the security fix down to testing. +Whenever possible, we try to provide patches and sometimes also NMU +the packages in unstable. Please do not regard an NMU by the +Testing Security Team as a bad sign. We try to assist you in the best +way to keep Debian secure. Also keep in mind that not all security +related problems have a grave severity, so do not be surprised if a +normal bug in the Debian BTS results in assigning a CVE id for it. + + + +Efforts to fix security issues in testing +----------------------------------------- + +As already mentioned, the main effort to keep testing secure is by +letting fixed packages migrate from unstable. In order to ensure this +migration process, we are in close contact with the release team and +sometimes request a bump of the priority. Sometimes a package is +kept from migrating due to a transition, the occurrence of new bugs in +unstable, buildd issues or other problems. In these cases, the Testing +Security Team considers to issue a DTSA. We always appreciate, if a +maintainer contacts us about their specific security problem. In this +case, we can assist by telling him whether to wait for migration or +to prepare an upload to testing-security. For non-DDs, these uploads +can be sponsored by every DD, preferable by a member of the Testing +Security Team. If you get a go for an upload to testing-security by +one of us, please follow the guidelines on the webpage[2]. If we feel +the need to issue a DTSA and were not contacted by the maintainer, +we normally go ahead and upload ourselves, although the maintainer +effort is much preferred. + + +New Testing Security Members +---------------------------- + +Nico Golde (nion) and Steffen Joeris (white) have been added as new +members of the Testing Security Team. + + +So far so good. We hope to keep you updated on testing security issues +more regularly. + +Your +Testing Security Team + + +[0]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce + +[1]: http://security-tracker.debian.net/tracker/ + +[2]: http://secure-testing-master.debian.net/uploading.html