[Secure-testing-commits] r8962 - doc

white at alioth.debian.org white at alioth.debian.org
Tue Jun 3 10:24:56 UTC 2008


Author: white
Date: 2008-06-03 10:24:56 +0000 (Tue, 03 Jun 2008)
New Revision: 8962

Added:
   doc/bits_2008_06_x
Log:
Start new Bits from announcement email

Added: doc/bits_2008_06_x
===================================================================
--- doc/bits_2008_06_x	                        (rev 0)
+++ doc/bits_2008_06_x	2008-06-03 10:24:56 UTC (rev 8962)
@@ -0,0 +1,125 @@
+Hi fellow developers,
+
+it's been some time since our last email.
+Much happened in regard to security support of Debian's testing distribution.
+
+
+Level of security support for the testing distribution:
+-------------------------------------------------------
+
+The Debian Testing Security team provides almost provides full security
+support for the testing distribution. At the time of the last email, two
+blockers for full security support were present. We are happy to announce
+that only one remains. The Debian Testing Security Team is now able to
+process embargoed issues (read more about that below).
+Therefore, the only remaining blocker for full security support is the kernel. 
+We are talking to the kernel security team about providing testing-security
+support, but at the moment this task lacks manpower. If you are willing to 
+work on this, please feel free to contact us. Otherwise, we recommend to use
+the stable kernel or if that is not an option, the unstable kernel in regard
+to security.
+
+
+Security status of the current testing distribution (lenny):
+------------------------------------------------------------
+
+With some pride we can say that testing was never in such good shape before
+in regards to security. The tracker is reflecting known security issues in
+the testing distribution(0). The new announcement emails provide a notification
+for users, whenever a new security fix reaches testing, whether through
+migration from unstable or DTSA for testing-security. Also fewer packages are
+getting removed from testing, because of security issues. 
+
+In order to reach a wider audience with security updates for testing, a new mailinglist
+was created, called debian-testing-security-announce at lists.debian.org
+We highly recommend that every user, who runs Debian testing and is concerned 
+about security subscribed to the debian-testing-security announcement list(1).
+
+
+Security status of the next testing distribution (lenny+1):
+-----------------------------------------------------------
+
+After the release of lenny, we expect to continue with the normal
+testing-security support without interruptions. However, this depends
+on our buildds and the ability to release DTSAs. We hope that the
+proper buildd network for the next testing distribution is in place
+shortly after lenny becomes stable. The announcement emails will
+continue as usual.
+
+
+Embargoed issues and access to wider security information:
+---------------------------------------------------------
+
+Coming soon ... :)
+
+
+Freeze of lenny coming up:
+--------------------------
+
+With the lenny release approaching, the Debian release team will at some stage
+freeze the testing archive. This means it is even more important to stay in
+close contact with the Debian Testing Security Team to coordinate security
+updates for the testing distribution. If one of your packages is affected by
+an unembargoed security issue, please contact us through the public list of
+the team(2) and fix the issue in unstable with high urgency. Please send as
+many information as possible, including patches, ways to reproduce the issue
+and further descriptions. If we ask you to prepare a DTSA, please follow the
+instructions on the testing-security webpage(3) and go ahead with the upload.
+If your package is affected by an embargoed issue, email the private list(4)
+and if we should ask you to upload a DTSA, use the embargoed upload queue
+(which is the same than for stable/oldstable).
+
+
+Handling of security issues in the unstable distribution:
+---------------------------------------------------------
+
+First of all, unstable does not have official security support. The illusion that
+the Debian Testing Security Team also officially supports unstable is not true.
+Security issues in unstable, especially when the package is not in testing, are
+not regarded as high urgency and only dealt with, when there is enough spare time.
+However, it is true that we let most of our security updates migrate through
+unstable. For this purpose, we urge every maintainer to upload their security
+fixes with high urgency and mention the CVE ids (if given) in their changelogs.
+Because we let fixes migrate, it often happens that we NMU packages. An up to date
+list of NMUs done by the security team can be found in the svn(5). These NMUs
+are done as the need arises and do not allways follow the given NMU rules, because
+security updates are treated with higher urgency. If you happen to get a bug
+reported against one of your packages, please speak up, but if a working patch is
+already reported and not disputed, consider uploading soon.
+
+
+Call for new members:
+---------------------
+
+The team is still looking for new members. If you are interested in joining the
+Debian Testing Security Team, please speak up and either write to the public
+mailing list(6) or approach us under on the internal mailing list(6). Note that
+you do not have to be a DD for all tasks. Your work would include to keep the
+security tracker(8) up to date, report bugs about new unembargoed issues to the
+BTS, give advice to maintainers and track the bugs, write and/or review patches,
+propose NMUs and take care of DTSAs. If you are interested, but unsure that you
+can cope with all this, we offer some level of mentoring for new members, where
+we work together on some issues as some sort of introduction. You should also
+be on IRC as most of our coordination happens there.
+
+
+Yours,
+Testing Security Team
+
+(0): http://security-tracker.debian.net/tracker/status/release/testing
+
+(1): http://lists.debian.org/debian-testing-security-announce
+
+(2): secure-testing-team at lists.alioth.debian.org
+
+(3): http://testing-security.debian.net/uploading.html
+
+(4): team at security.debian.org
+
+(5): http://svn.debian.org/wsvn/secure-testing/data/NMU/list?op=file&rev=0&sc=0
+
+(6): secure-testing-team at lists.alioth.debian.org
+
+(7): team at testing-security.debian.net
+
+(8): http://security-tracker.debian.net/tracker/




More information about the Secure-testing-commits mailing list