[Secure-testing-commits] r6811 - doc

white at alioth.debian.org white at alioth.debian.org
Sat Oct 6 02:44:46 UTC 2007 

Author: white
Date: 2007-10-06 02:44:46 +0000 (Sat, 06 Oct 2007)
New Revision: 6811

Added:
   doc/bits_2007_10_x
Log:
First draft of the bits email

Added: doc/bits_2007_10_x
===================================================================
--- doc/bits_2007_10_x	                        (rev 0)
+++ doc/bits_2007_10_x	2007-10-06 02:44:46 UTC (rev 6811)
@@ -0,0 +1,92 @@
+Hi fellow developers
+
+We finally got around to issue this email and inform you about the
+current state of the Testing Security Team and its work.
+If you at any stage have questions about the Testing Security Team,
+please feel free to come to #debian-security on OFTC or ask one of the
+individual members of the team. A full member list can be found on
+http://www.debian.org/intro/organization.
+
+
+
+New announcement mails
+----------------------
+
+Because of the fact that most of the security fixes migrate from unstable
+to testing, we felt the need of changing our security announcements.
+Therefore, we set up daily announcements going to the announcement
+mailinglist[0], which include all new security fixes for the testing
+distribution. Most commonly the email shows the migrated packages.
+If there has been a DTSA issued for a package, this will show up as
+well. In some rare cases, the Testing Security Team asks the release
+managers to remove a package from unstable, because a security fix in
+a reasonable amount of time seems to be unlikely and the package should
+not be offered in our opinion. In this case, the email will inform
+about such a case as well.
+
+
+
+Efforts to fix security issues in unstable
+------------------------------------------
+
+The Testing Security Team works mainly on the issued CVE numbers. If
+you encounter a security problem in one of your packages, which does
+not have a CVE number yet, please contact the Testing Security Team.
+It is important to have such a CVE id, because they allow us to track
+the security problem in all debian branches (including Debian stable).
+When you upload a security fix to unstable, please also include the
+CVE id in your changelog and set the priority to high. The tracker used
+by both, Testing and Stable Security Team, can be found on this
+webpage[1].
+The main task of the Testing Security team is to review the CVE ids,
+informing the Debian maintainers by filling bugs to the BTS, if not
+already done and tracking the security fix down to testing.
+Whenever possible, we try to provide patches and sometimes also NMU
+the packages in unstable. Please do not regard an NMU by the
+Testing Security Team as a bad sign. We try to assist you in the best
+way to keep Debian secure. Also keep in mind that not all security
+related problems have a grave severity, so do not be surprised if a 
+normal bug in the Debian BTS results in assigning a CVE id for it.
+
+
+
+Efforts to fix security issues in testing
+-----------------------------------------
+
+As already mentioned, the main effort to keep testing secure is by
+letting fixed packages migrate from unstable. In order to ensure this
+migration process, we are in close contact with the release team and
+sometimes request a bump of the priority. Sometimes a package is
+kept from migrating due to a transition, the occurrence of new bugs in
+unstable, buildd issues or other problems. In these cases, the Testing
+Security Team considers to issue a DTSA. We always appreciate, if a
+maintainer contacts us about their specific security problem. In this
+case, we can assist by telling him whether to wait for migration or
+to prepare an upload to testing-security. For non-DDs, these uploads
+can be sponsored by every DD, preferable by a member of the Testing
+Security Team. If you get a go for an upload to testing-security by
+one of us, please follow the guidelines on the webpage[2]. If we feel
+the need to issue a DTSA and were not contacted by the maintainer,
+we normally go ahead and upload ourselves, although the maintainer
+effort is much preferred.
+
+
+New Testing Security Members
+----------------------------
+
+Nico Golde (nion) and Steffen Joeris (white) have been added as new
+members of the Testing Security Team.
+
+
+So far so good. We hope to keep you updated on testing security issues
+more regularly.
+
+Your
+Testing Security Team
+
+
+[0]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce
+
+[1]: http://security-tracker.debian.net/tracker/
+
+[2]: http://secure-testing-master.debian.net/uploading.html

More information about the Secure-testing-commits mailing list