I have thought about Debian Security for a while. I have the strong feeling that we should iron out what we're doing and document this. We've discussed this document within the developers so now it's time to present it a wider group. Please tell us what you think and if you have improvements for it. Debian Security Policy 1. This Policy document describes the scope and duties of the Debian Security Team for Debian. 2. As soon as an incident is known the Security Team work on fixing affected packages. If no fix is known yet, they try to develop one on their own in connection with affected package maintainers. 3. The Security Team corresponds to well-known security resources which they also use as source. We believe in full disclosure. If the incident is not yet publicaly known, the Security Team will release a general security alert to these resources independent of the one for Debian and regardless of an existing fix or not. 4. If the exploit/fix is known and Debian is able to fix it within one week, either the maintainer or the Security Team fixes packages, upload them to both stable and unstable and the Security Team releases a security advisory. If the auto-compiliers don't catch the source files, the Security Team will ask porters to recompile or do that on their own. 5. If it takes longer to fix such a bug, the Security Team releases a temporary advisory, warning the users and asking to disable the service or whatever is needed. This shall be released by a later advisory when the bug is fixed. 6. All security fixes will be installed on security.debian.org as soon as possible. This source is accessable via For apt-get: deb http://security.debian.org/ stable updates For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates The Security Team has to take care of uploads to stable and unstable as well, so the packages will appear there as well. 7. If the maintainer of a certain package does not respond within a few days or is unable to provide a fixed package, the Security Team is permitted to work on a fixed version on their own. Such a package will be handled similar to other non-maintainer uploads, except that the Security Team does not have to wait for a couple of weeks. The rule still is "minimal changes only". 8. New subreleases of the stable distribution containing security updates will be prepared every one or two months, depending on the amount of security updates. This will keep systems relatively up to date. It will also keep proposed-updates and security.debian.org small. An announcement will be made covering the new subrelease. The subrelease will be done by the Release Engineer or - if available - the Stable Release Manager and prepared in connection with the Security Team, who is responsible for security updates. Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists.
Attachment:
pgpL3PQj3sEWK.pgp
Description: PGP signature