A couple of developers have asked how to work with the new security infrastructure that is being introduced. In order to answer these questions the security team would like to introduce this document, the developer's guide to security updates. One note: this document says you have to upload security fixes to security.debian.org. At this moment that is not true: security.debian.org is still hosted on pandora and will be moved to satie once the new security infrastructure has been fully tested. Until that moment please upload to satie.debian.org instead. Wichert. ------------------------------------------------------------------------ Welcome to the developer's guide to security updates. This document contains guidelines for Debian developers for handling security problems in their packages. As usual with guidelines not everything is written down or set in stone, use common sense where needed. Coordinating with the security team ----------------------------------- If you learn of a security problem, either in your package or someone else's please always contact the security team. You can reach them via email at team@security.debian.org. They keep track of outstanding security problems, can help maintainers with security problems or fix them themselves, are responsible for sending security advisories and maintaining security.debian.org. Please note that security advisories are only done for release distributions, not for testing or unstable. Learning of security problems ----------------------------- There are a few ways a developer can learn of a security problem: * he notices it on a public forum (mailing list, website, etc.) * someone files a bugreport * someone informs him via private email In the first two cases the information is public and it is important to have a fix as soon as possible. In the last case however it might not be public information. In that case there are a few possible options for dealing with the problem: * if it is a trivial problem (like insecure temporary files) there is no need to keep the problem a secret and a fix should be made and released. * if the problem is severe (remote exploitable, possibility to gain root privileges) it is preferable to share the information with other vendors and coordinate a release. The security team keeps contacts with the various organizations and individuals and can take care of that. In all cases if the person who reports the problem asks to not disclose the information that should be respected, with the obvious exception of informing the security team (make sure you tell the security team that the information can not be disclosed). Please note that if secrecy is needed you can also not upload a fix to unstable (or anywhere else), since the changelog information for unstable is public information There are two reasons for releasing information even though secrecy is requested/required: the problem has been known for too long, or the information becomes public. Building a package ------------------ The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. People are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true of libraries: make sure you never change the API or ABI, no matter how small the change. This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help. In some cases it is not possible to backport a security fix, for example when large amounts of sourcecode need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but always coordinate that with the security team beforehand. Related to this is another import aspect: always test your change. If you have an exploit try if it indeed succeeds on the unpatched package and fails on the fixed package. Try normal usage as well, sometimes a security fix can break normal use subtly. Finally a few technical things to keep in mind: * Make sure you target the right distribution in your debian/changelog. For stable this is stable-security and for testing this is testing-security. Do not target <codename>-proposed-updates! * Make sure the version number is proper. It has to be higher than the current package, but lower than package versions in later distributions. For testing this means there has to be a higher version in unstable. If there is none yet (testing and unstable have the same version for example) upload a new version to unstable first. * Do not make source-only uploads if your package has any binary-all packages. The buildd infrastructure will not build those. * Make sure when compiling a package you compile on a clean system which only has package installed from the distribution you are building for. If you do not have such a system yourself yourself you can try a debian.org machine (see http://db.debian.org/machines.cgi) or setup a chroot (the pbuilder and debootstrap packages can be helpful in that case). Uploading security fixes ------------------------ After you have created and tested the new package it needs to be uploaded so it can be installed in the archives. For security uploads the place to upload to is ftp://security.debian.org/pub/SecurityUploadQueue/ . Once an upload to the security queue has been accepted the package will automatically be rebuilt for all architectures and stored for verification by the security team. Uploads waiting for acceptance or verification are only accessible by the security team. This is necessary since there might be fixes for security problems that can not be disclosed yet. If a member of the security team accepts a package it will be installed on security.debian.org as well as the proper <codename>-proposed-updates in ftp-master or non-US archive. The security advisory --------------------- Security advisories are written and posted by the security team. However they certainly do not mind if a maintainer can supply (part of) the text for them. Information that should be in an advisory includes: * version number for the fix * problem type * remote or locally exploitable * short description of the package * description of the problem * description of the exploit * description of the fix -- _________________________________________________________________ /wichert@wiggy.net This space intentionally left occupied \ | wichert@deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Attachment:
pgpdkxBlj531p.pgp
Description: PGP signature