[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bits from the Security Team

Hash: SHA1

Use of RT

The Security Team is now using Request Tracker to coordinate work 
and our RT processes have already been refined a lot.
If you're a package maintainer working towards a security update,
you're now encouraged to open a ticket directly. You will be kept in
CC during the life time of the ticket. If you're opening a ticket for
a security problem, which is not yet publicly known, e.g. if you've
discovered it by yourself or if you have been contacted by upstream,
please open a ticket in the "Security - Private" queue. These
issues will only be visible by the Security Team.

If you're opening a ticket for a security problem which is publicly
known, e.g. if it's announced on the project web site, please open a
ticket in the "Security" queue. These issues will be visible publicly.

Security Patch Test Program

We're planning to improve our quality assurance process for security
updates by providing a public security update beta test program in
addition to the existing QA done for security updates. 
During the preparation of security updates, there's an inherent delay
between the initial upload of the fixed packages and the time until
the packages have been built on porter machines. This time gap will be
used for a new security update beta program. The test program will be
targeted at large installations, which install security updates in a
test environment before installing them into the production
environment. This test group will be initially limited.

Public patch review

To ease review of updates and increase transparency, a new mailing
list is planned, on which the diffs made for a security updates are
being posted. Anyone wishing to help implement this should contact

Open issues for Lenny

Some technical issues have been communicated to the release managers,
which affect the release of Lenny and the packages contained
within. Most of these will be handled through bug reports, some of them
are already filed, so you should be aware of them already if you
maintain such a package.

As an example some legacy libs will be phased out to reduce the
security maintenance overhead (e.g. Gnome 1.x packages).

If there's anything you'd like to bring to our attention, please
contact us at team@security.debian.org

Minor security fixes as part of a stable point update

Some security issues are not severe enough to be fixed through a Debian
Security Advisory. Some of them might still be fixed through the regular
point updates, where they cause less work for the administrator installing
the updates. Nico Golde <nion@debian.org> is coordinating these updates
and can assist the respective maintainer in the necessary procedures.

Looking for new Security Team Members

We've recently extended our ranks by Thijs and Florian and we're looking
for up to two more people to broaden our basis further. The basic
requirements are:

* You need to have experience with security work before. Please outline
  what you've done in the past, both within and without Debian.

* You must have time to kill. You'll need to be able to dedicate
  a chunk of time each week to this task, and be able to keep
  up with what's going on on a close to daily basis.
  Also, please tell us, in which time zone you live and during
  which times you'll typically be able to communicate with the
  rest of us.

* Diligence is the key.

* You need to be an experienced programmer, both in understanding
  existing code and in creating / backporting patches.
  You don't need to be able to understand every language in our
  archive (which is impossible), but tell us about your existing
  skill set.

* You need to be familiar with how the wide variety Debian packages
  are maintained, patched and built. If you're not scared by
  packages generating their patch series by applying sed statements
  from cdbs include files before passing the patches through an
  awk filter to quilt until they're finally built with yada, you
  might be the right person.

Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: