[Secure-testing-commits] r9130 - doc
micah at alioth.debian.org
micah at alioth.debian.org
Tue Jun 24 03:47:40 UTC 2008
Author: micah
Date: 2008-06-24 03:47:39 +0000 (Tue, 24 Jun 2008)
New Revision: 9130
Modified:
doc/bits_2008_06_x
Log:
some language clean-up work
Modified: doc/bits_2008_06_x
===================================================================
--- doc/bits_2008_06_x 2008-06-23 19:20:48 UTC (rev 9129)
+++ doc/bits_2008_06_x 2008-06-24 03:47:39 UTC (rev 9130)
@@ -1,137 +1,140 @@
Hi fellow developers,
-It's been some time since our last email. Much happened regarding
-security support of Debian's testing distribution.
+It's been some time since our last email. Much has happened since then
+with regards to the security support of Debian's testing distribution.
-Level of security support for the testing distribution:
--------------------------------------------------------
+General security support for testing
+------------------------------------
-The Debian Testing Security team provides almost provides full security
-support for the testing distribution. At the time of the last email, two
-blockers for full security support were present. We are happy to announce
-that only one remains. The Debian Testing Security Team is now able to
-process embargoed issues (read more about that below).
-Therefore, the only remaining blocker for full security support is the kernel.
-We are talking to the kernel security team about providing testing-security
-support, but at the moment this task lacks manpower. If you are willing to
-work on this, please feel free to contact us. Otherwise, we recommend to use
-the stable kernel or if that is not an option, the unstable kernel in regard
-to security.
-Also, we would like to state that packages that are not security supported for
-stable are likewise unsupported for testing. This list includes all packages
-in contrib and non-free, as well as the ones that are marked unsupported (such
-an example would be kfreebsd). The maintainers are solely responsible for
-security and there won't be any DTSAs for such packages.
+The Debian Testing Security team is very near to providing full
+security support for the testing distribution. At the time of the last
+email, two blockers for full security support were present. However,
+we now are able to process embargoed issues (more on that below), so
+we are happy to announce that only one blocker remains. The only
+remaining blocker for full security support at this point is the
+kernel. We are talking to the kernel security team about providing
+testing-security support, but at the moment this task lacks
+manpower. If you are willing to work on this, please feel free to
+contact us. Otherwise, in terms of security at this point we recommend
+using the stable kernel or if that is not an option, the unstable
+kernel. Also, we would like to state that packages that are not
+security supported for stable are likewise unsupported for
+testing. This list includes all packages in contrib and non-free, as
+well as the ones that are marked unsupported (for example,
+kfreebsd). The maintainers are solely responsible for security and
+there won't be any DTSAs for such packages.
-Security status of the current testing distribution (lenny):
-------------------------------------------------------------
+Security status of the current testing distribution (lenny)
+-----------------------------------------------------------
-With some pride we can say that testing was never in such good shape before
-in regards to security. The tracker is reflecting known security issues in
-the testing distribution[0]. The new announcement emails provide a notification
-for users whenever a new security fix reaches testing, whether through
-migration from unstable or DTSA for testing-security. Also fewer packages are
-getting removed from testing because of security issues.
+With some pride we can say that testing has never been in such good
+shape security wise. The tracker reflects very accurately the current
+known security issues in the testing distribution[0]. Our new
+announcement emails[1] provide a notification for users whenever a new
+security fix reaches testing, whether through migration from unstable
+or DTSA for testing-security. Also fewer packages are getting removed
+from testing because of security issues.
-In order to reach a wider audience with security updates for testing and
-because since beta1 of the lenny installer the testing-security repository is
-included in the apt-sources, a new mailing list has been created:
-debian-testing-security-announce at lists.debian.org.
+In order to reach a wider audience with security updates for testing
+and due to the beta1 release of the lenny installer including the
+testing-security repository in the apt-sources, this new mailing list
+was created. We highly recommend that every user who runs Debian
+testing and is concerned about security subscribes[1] to this list
-We highly recommend that every user who runs Debian testing and is concerned
-about security subscribes to the debian-testing-security announcement list[1].
-Note that this list is a replacement of the old secure-testing-announce list
-hosted on alioth which has been removed now.
+Note: this list is a replacement of the old secure-testing-announce
+list hosted on alioth which has been removed.
-Security status of the next testing distribution (lenny+1):
------------------------------------------------------------
+Security status of the next testing distribution (lenny+1)
+----------------------------------------------------------
After the release of lenny, there will probably be no security support
-for the new testing distribution for some time. It is not clear yet how long
-this state will last (we expect between a few days and two months). Users of
-testing who need security support are advised to change their sources.list
-entries from "testing" to "lenny" now and only switch to lenny+1 after the
-begin of its security support is announced. There will be another announcement
+for the new testing distribution for some time. It is not clear yet
+how long this state will last. Users of testing who need security
+support are advised to change their sources.list entries from
+"testing" to "lenny" now and only switch to lenny+1 after the begin of
+its security support is announced. There will be another announcement
with more details well before the release of lenny.
-Embargoed issues and access to wider security information:
+Embargoed issues and access to wider security information
---------------------------------------------------------
Parts of the Testing Security Team have been added to the
-team at security.debian.org alias and are thus also subscribed to the vendor-sec
-mailing list where embargoed security issues are coordinated and discussed
-between Linux vendors before being released to the public. The embargoed
-security queue on security-master will be used to prepare DTSAs for such
-issues. This is a major change as the Testing Security Team was not able to
-prepare updates for security issues under embargo before. If a DTSA was
-prepared for an embargoed issue in your package, you will either be contacted
-by us before the release or you will be notified through the BTS. Either way,
-you will most likely get an RC bug against your package including the patch
-used for the DTSA. This way you can prepare updates for unstable and the
-current unfixed unstable package does not migrate to testing, where it would
-overwrite the DTSA.
+team at security.debian.org alias and are thus also subscribed to the
+vendor-sec mailing list where embargoed security issues are
+coordinated and discussed between Linux vendors before being released
+to the public. The embargoed security queue on security-master will be
+used to prepare DTSAs for such issues. This is a major change as the
+Testing Security Team was not able to prepare updates for security
+issues under embargo before. If a DTSA was prepared for an embargoed
+issue in your package, you will either be contacted by us before the
+release or you will be notified through the BTS. Either way, you will
+most likely get an RC bug against your package including the patch
+used for the DTSA. This way you can prepare updates for unstable and
+the current unfixed unstable package does not migrate to testing,
+where it would overwrite the DTSA.
-Freeze of lenny coming up:
---------------------------
+Freeze of lenny coming up
+-------------------------
-With the lenny release approaching, the Debian release team will at some stage
-freeze the testing archive. This means it is even more important to stay in
-close contact with the Debian Testing Security Team to coordinate security
-updates for the testing distribution. If one of your packages is affected by
-an unembargoed security issue, please contact us through the public list of
-the team[2] and fix the issue in unstable with high urgency. Please send as
-many information as possible, including patches, ways to reproduce the issue
-and further descriptions. If we ask you to prepare a DTSA, please follow the
-instructions on the testing-security webpage[3] and go ahead with the upload.
-If your package is affected by an embargoed issue, email the private list[4]
-and if we should ask you to upload a DTSA, use the embargoed upload queue
-(which is the same than for stable/oldstable).
+With the lenny release approaching, the Debian release team will at
+some stage freeze the testing archive. This means it is even more
+important to stay in close contact with the Debian Testing Security
+team to coordinate security updates for the testing distribution. If
+one of your packages is affected by an unembargoed security issue,
+please contact us through the public list of the team[2] and fix the
+issue in unstable with high urgency. Please send as much information
+as possible, including patches, ways to reproduce the issue and
+further descriptions. If we ask you to prepare a DTSA, please follow
+the instructions on the testing-security webpage[3] and go ahead with
+the upload. If your package is affected by an embargoed issue, email
+the private list[4] and if we should ask you to upload a DTSA, use the
+embargoed upload queue (which is the same than for stable/oldstable).
-Handling of security issues in the unstable distribution:
----------------------------------------------------------
+Handling of security in the unstable distribution
+-------------------------------------------------
-First of all, unstable does not have official security support. The illusion
-that the Debian Testing Security Team also officially supports unstable is not
-true. Security issues in unstable, especially when the package is not in
-testing, are not regarded as high urgency and are only dealt with when there is
-enough spare time.
+First of all, unstable does not have official security support. The
+illusion that the Debian Testing Security team also officially
+supports unstable is not true. Security issues in unstable, especially
+when the package is not in testing, are not regarded as high urgency
+and are only dealt with when there is enough spare time.
-However, it is true that we let most of our security updates migrate through
-unstable to prevent doubled workload here. For this purpose, we urge every
-maintainer to upload their security fixes with high urgency and mention the CVE
-ids (if given) in their changelogs. Because we let fixes migrate, it often
-happens that we NMU packages. An up to date list of NMUs done by the security
-team can be found in our repository[5]. These NMUs are done as the need arises
-and do not always follow the given NMU rules, because security updates are
-treated with higher urgency. If you happen to get a bug reported against one of
-your packages, please speak up, but if a working patch is already reported and
-not disputed, consider uploading soon.
+However, it is true that most of our security updates migrate through
+unstable to prevent doubled workload. For this purpose, we urge every
+maintainer to upload their security fixes with high urgency and
+mention the CVE ids (if given) in their changelogs. Because we let
+fixes migrate, it often happens that we NMU packages. An up to date
+list of NMUs done by the security team can be found in our
+repository[5]. These NMUs are done as the need arises and do not
+always follow the given NMU rules, because security updates are
+treated with higher urgency.
Call for new members:
---------------------
-The team is still looking for new members. If you are interested in joining the
-Debian Testing Security Team, please speak up and either write to the public
-mailing list[2] or approach us on the internal mailing list[6]. Note that
-you do not have to be a DD for all tasks.
-Check out our call for help[7] for more information about the tasks and the
-requirements if you want to join the team. We also look for people with
-experienced knowledge regarding the kernel. We would like to start security
-support for the kernel packages in testing and prepare DTSAs for the
-unembargoed kernel issues. For this task, it would be good to have one or two
-designated people in the Debian Testing Security Team to only concentrate on
-this task. If you are interested, please speak up.
+The team is still looking for new members. If you are interested in
+joining the Debian Testing Security team, please speak up and either
+write to the public mailing list[2] or approach us on the internal
+mailing list[6]. Note that you do not have to be a DD for all tasks.
+Check out our call for help[7] for more information about the tasks
+and the requirements if you want to join the team. We also look for
+people with experienced knowledge regarding the kernel. We would like
+to start security support for the kernel packages in testing and
+prepare DTSAs for the unembargoed kernel issues. For this task, it
+would be good to have one or two designated people in the Debian
+Testing Security team to only concentrate on this task. If you are
+interested, please speak up.
Yours,
-Testing Security Team
+Testing Security
[0]: http://security-tracker.debian.net/tracker/status/release/testing
[1]: http://lists.debian.org/debian-testing-security-announce
More information about the Secure-testing-commits
mailing list