Author: nion Date: 2007-10-06 11:32:45 +0000 (Sat, 06 Oct 2007) New Revision: 6826 Modified: doc/bits_2007_10_x Log: some additional bits :) Modified: doc/bits_2007_10_x ==================================================================--- doc/bits_2007_10_x 2007-10-06 09:48:03 UTC (rev 6825) +++ doc/bits_2007_10_x 2007-10-06 11:32:45 UTC (rev 6826) @@ -17,8 +17,9 @@ Therefore, we set up daily announcements going to the announcement mailinglist[0], which include all new security fixes for the testing distribution. Most commonly the email shows the migrated packages. -If there has been a DTSA issued for a package, this will show up as -well. In some rare cases, the Testing Security Team asks the release +If there has been a DTSA(Debian Testing Security Advisory) issued for +a package, this will show up as well. +In some rare cases, the Testing Security Team asks the release managers to remove a package from unstable, because a security fix in a reasonable amount of time seems to be unlikely and the package should not be offered in our opinion. In this case, the email will inform @@ -29,11 +30,12 @@ Efforts to fix security issues in unstable ------------------------------------------ -The Testing Security Team works mainly on the issued CVE numbers. If +The Testing Security Team works mainly on the issued CVE numbers but also +follows security relevant bugs reported via the BTS. If you encounter a security problem in one of your packages, which does not have a CVE number yet, please contact the Testing Security Team. It is important to have such a CVE id, because they allow us to track -the security problem in all debian branches (including Debian stable). +the security problem in all Debian branches (including Debian stable). When you upload a security fix to unstable, please also include the CVE id in your changelog and set the priority to high. The tracker used by both, Testing and Stable Security Team, can be found on this @@ -58,7 +60,7 @@ As already mentioned, the main effort to keep testing secure is by letting fixed packages migrate from unstable. In order to ensure this migration process, we are in close contact with the release team and -sometimes request a bump of the priority. Sometimes a package is +request priority bumps to speed up the migration. Sometimes a package is kept from migrating due to a transition, the occurrence of new bugs in unstable, buildd issues or other problems. In these cases, the Testing Security Team considers to issue a DTSA. We always appreciate, if a @@ -71,10 +73,20 @@ the need to issue a DTSA and were not contacted by the maintainer, we normally go ahead and upload ourselves, although the maintainer effort is much preferred. -An up to date overview of unresolved issues in unstable can be found on +An up to date overview of unresolved issues in testing can be found on the tracker website[4]. + +Some statistics +--------------- + +* 32 DTSAs had been issued in 2007 so far for over 120 CVE ids +* 33 NMUs were uploaded in the last two months to fix security flaws +* 40 security related uploads migrated to testing in the last month + + + New Testing Security Members ---------------------------- @@ -90,11 +102,7 @@ [0]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce - [1]: http://security-tracker.debian.net/tracker/ - [2]: http://security-tracker.debian.net/tracker/status/release/unstable - [3]: http://secure-testing-master.debian.net/uploading.html - [4]: http://security-tracker.debian.net/tracker/status/release/testing