Bits from the Security Team
-----BEGIN PGP SIGNED MESSAGE-----
Use of RT
The Security Team is now using Request Tracker to coordinate work
and our RT processes have already been refined a lot.
If you're a package maintainer working towards a security update,
you're now encouraged to open a ticket directly. You will be kept in
CC during the life time of the ticket. If you're opening a ticket for
a security problem, which is not yet publicly known, e.g. if you've
discovered it by yourself or if you have been contacted by upstream,
please open a ticket in the "Security - Private" queue. These
issues will only be visible by the Security Team.
If you're opening a ticket for a security problem which is publicly
known, e.g. if it's announced on the project web site, please open a
ticket in the "Security" queue. These issues will be visible publicly.
Security Patch Test Program
We're planning to improve our quality assurance process for security
updates by providing a public security update beta test program in
addition to the existing QA done for security updates.
During the preparation of security updates, there's an inherent delay
between the initial upload of the fixed packages and the time until
the packages have been built on porter machines. This time gap will be
used for a new security update beta program. The test program will be
targeted at large installations, which install security updates in a
test environment before installing them into the production
environment. This test group will be initially limited.
Public patch review
To ease review of updates and increase transparency, a new mailing
list is planned, on which the diffs made for a security updates are
being posted. Anyone wishing to help implement this should contact
Open issues for Lenny
Some technical issues have been communicated to the release managers,
which affect the release of Lenny and the packages contained
within. Most of these will be handled through bug reports, some of them
are already filed, so you should be aware of them already if you
maintain such a package.
As an example some legacy libs will be phased out to reduce the
security maintenance overhead (e.g. Gnome 1.x packages).
If there's anything you'd like to bring to our attention, please
contact us at email@example.com
Minor security fixes as part of a stable point update
Some security issues are not severe enough to be fixed through a Debian
Security Advisory. Some of them might still be fixed through the regular
point updates, where they cause less work for the administrator installing
the updates. Nico Golde <firstname.lastname@example.org> is coordinating these updates
and can assist the respective maintainer in the necessary procedures.
Looking for new Security Team Members
We've recently extended our ranks by Thijs and Florian and we're looking
for up to two more people to broaden our basis further. The basic
* You need to have experience with security work before. Please outline
what you've done in the past, both within and without Debian.
* You must have time to kill. You'll need to be able to dedicate
a chunk of time each week to this task, and be able to keep
up with what's going on on a close to daily basis.
Also, please tell us, in which time zone you live and during
which times you'll typically be able to communicate with the
rest of us.
* Diligence is the key.
* You need to be an experienced programmer, both in understanding
existing code and in creating / backporting patches.
You don't need to be able to understand every language in our
archive (which is impossible), but tell us about your existing
* You need to be familiar with how the wide variety Debian packages
are maintained, patched and built. If you're not scared by
packages generating their patch series by applying sed statements
from cdbs include files before passing the patches through an
awk filter to quilt until they're finally built with yada, you
might be the right person.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----