[Git][security-tracker-team/security-tracker][master] no-dsa triage page for the PTS (WIP)
Moritz Muehlenhoff
jmm at debian.org
Fri Feb 26 13:58:48 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
664a9d2e by Moritz Muehlenhoff at 2021-02-26T14:58:41+01:00
no-dsa triage page for the PTS (WIP)
- - - - -
1 changed file:
- + doc/security-team.d.o/triage
Changes:
=====================================
doc/security-team.d.o/triage
=====================================
@@ -0,0 +1,33 @@
+Security updates affecting a released Debian suite can fall under three types:
+
+- The security issue(s) are important enough to warrant an out-of-band update released via security.debian.org which gets announced as a DSA.
+ These are getting announced via debian-security-announce and also redistributed via other sources (news feeds etc).
+
+- Low severity updates can be included in point releases, which are getting released every 2-3 months (any user using the -proposed-updates
+ mechanism can also use them before they get released). This provides a good balance between fixing low impact issues before the next stable
+ release, which can simply all be installed in one go when a point release happens.
+
+- Some issues are simply not worth fixing in a stable release (for multiple reasons, e.g. because they are mostly a PR hype, or because they
+ are mitigated in Debian via a different config or toolchain hardening).
+
+Every incoming security issues gets triaged. Security issues which are being flagged for the second category are being displayed in the
+Debian Package Tracker (tracker.debian.org), in fact you might have been redirected from the PTS to his page.
+
+For every CVE listed there, there are three possible options:
+
+- Prepare an update for the next point release following:
+https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
+If you CC team at security.debian.org for the release.debian.org bug, the fixed version will get recorded in the Debian Securiy Tracker.
+
+- Some packages have a steady flow of security issues and there's also the option to postpone an update to a later time, in other words
+to get piggybacked to a future DSA for a more severe security issue or held back until a few more low severity issues are known. In the
+Security Tracker these are tracked with the <postponed> state, often this means that a fix has been commited to e.g. a buster branch
+in salsa, but no upload has been made yet. You can either send a mail to team at security.debian.org and we'll update the state or
+you can also make the change yourself if you're familiar with the Security Tracker.
+
+- Some packages should rather not be fixed at all, e.g. because the possible benefit does not outweigh the risk/costs of an update
+or because an update is not possible (e.g. as it would introduce behavioural not appropriate for a stable release). In the
+Security Tracker these are tracked with the <ignored> state. You can either send a mail to team at security.debian.org and we'll update
+the state or you can also make the change yourself if you're familiar with the Security Tracker.
+
+Any of the three actions above will make the CVE ID disappear from the "low severity" entry in the Security Tracker.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/664a9d2e067d72c2e335f241dffa7c76947e0d2c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/664a9d2e067d72c2e335f241dffa7c76947e0d2c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210226/10bd7c52/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list