Author: thijs Date: 2008-06-11 14:58:23 +0000 (Wed, 11 Jun 2008) New Revision: 9031 Modified: doc/bits_2008_06_x Log: some language and rewraps Modified: doc/bits_2008_06_x ==================================================================--- doc/bits_2008_06_x 2008-06-11 14:52:21 UTC (rev 9030) +++ doc/bits_2008_06_x 2008-06-11 14:58:23 UTC (rev 9031) @@ -1,7 +1,7 @@ Hi fellow developers, -it''s been some time since our last email. -Much happened in regard to security support of Debian''s testing distribution. +It''s been some time since our last email. Much happened regarding +security support of Debian''s testing distribution. Level of security support for the testing distribution: @@ -26,15 +26,16 @@ With some pride we can say that testing was never in such good shape before in regards to security. The tracker is reflecting known security issues in the testing distribution[0]. The new announcement emails provide a notification -for users, whenever a new security fix reaches testing, whether through +for users whenever a new security fix reaches testing, whether through migration from unstable or DTSA for testing-security. Also fewer packages are -getting removed from testing, because of security issues. +getting removed from testing because of security issues. -In order to reach a wider audience with security updates for testing and because -since beta1 of the lenny installer the testing-security repository is included in -the apt-sources, a new mailing list hosted was created: +In order to reach a wider audience with security updates for testing and +because since beta1 of the lenny installer the testing-security repository is +included in the apt-sources, a new mailing list has been created: debian-testing-security-announce at lists.debian.org. -We highly recommend that every user, who runs Debian testing and is concerned + +We highly recommend that every user who runs Debian testing and is concerned about security subscribes to the debian-testing-security announcement list[1]. Note that this list is a replacement of the old secure-testing-announce list hosted on alioth which was removed now. @@ -55,18 +56,18 @@ Embargoed issues and access to wider security information: --------------------------------------------------------- -Parts of the Testing Security Team have been added to the team at security.debian.org -alias and thus being also subscribed to the vendor-sec mailing list where -embargoed security issues are coordinated and discussed between Linux -vendors before being released to the public. The embargoed security queue -on security-master will be used to prepare DTSAs for such issues. This is a -major change as the Testing Security Team was not able to prepare updates -for security issues under embargo before. If a DTSA was prepared for an embargoed -issue in your package, you will either be contacted by us before the release or -you will be notified through the BTS. Either way, you will most likely get an -RC bug against your package including the patch used for the DTSA. This way -you can prepare updates for unstable and the current unfixed unstable package does -not migrate to testing, where it would overwrite the DTSA. +Parts of the Testing Security Team have been added to the +team at security.debian.org alias and thus being also subscribed to the vendor-sec mailing list where embargoed security issues are coordinated and discussed +between Linux vendors before being released to the public. The embargoed +security queue on security-master will be used to prepare DTSAs for such +issues. This is a major change as the Testing Security Team was not able to +prepare updates for security issues under embargo before. If a DTSA was +prepared for an embargoed issue in your package, you will either be contacted +by us before the release or you will be notified through the BTS. Either way, +you will most likely get an RC bug against your package including the patch +used for the DTSA. This way you can prepare updates for unstable and the +current unfixed unstable package does not migrate to testing, where it would +overwrite the DTSA. Freeze of lenny coming up: @@ -89,10 +90,12 @@ Handling of security issues in the unstable distribution: --------------------------------------------------------- -First of all, unstable does not have official security support. The illusion that -the Debian Testing Security Team also officially supports unstable is not true. -Security issues in unstable, especially when the package is not in testing, are -not regarded as high urgency and only dealt with, when there is enough spare time. +First of all, unstable does not have official security support. The illusion +that the Debian Testing Security Team also officially supports unstable is not +true. Security issues in unstable, especially when the package is not in +testing, are not regarded as high urgency and only dealt with when there is +enough spare time. + However, it is true that we let most of our security updates migrate through unstable to prevent doubled workload here. For this purpose, we urge every maintainer to upload their security fixes with high urgency and mention the CVE