[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RfD: Debian Security Policy

I have thought about Debian Security for a while.  I have the strong
feeling that we should iron out what we're doing and document this.
We've discussed this document within the developers so now it's time
to present it a wider group.  Please tell us what you think and if you
have improvements for it.

Debian Security Policy

1. This Policy document describes the scope and duties of the Debian
   Security Team for Debian.

2. As soon as an incident is known the Security Team work on fixing
   affected packages.  If no fix is known yet, they try to develop one
   on their own in connection with affected package maintainers.

3. The Security Team corresponds to well-known security resources which
   they also use as source.  We believe in full disclosure.  If the
   incident is not yet publicaly known, the Security Team will release
   a general security alert to these resources independent of the one
   for Debian and regardless of an existing fix or not.

4. If the exploit/fix is known and Debian is able to fix it within one
   week, either the maintainer or the Security Team fixes packages,
   upload them to both stable and unstable and the Security Team
   releases a security advisory.  If the auto-compiliers don't catch
   the source files, the Security Team will ask porters to recompile
   or do that on their own.

5. If it takes longer to fix such a bug, the Security Team releases a
   temporary advisory, warning the users and asking to disable the
   service or whatever is needed.  This shall be released by a later
   advisory when the bug is fixed.

6. All security fixes will be installed on security.debian.org as soon
   as possible.  This source is accessable via

   For apt-get: deb http://security.debian.org/ stable updates
   For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates

   The Security Team has to take care of uploads to stable and
   unstable as well, so the packages will appear there as well.

7. If the maintainer of a certain package does not respond within a
   few days or is unable to provide a fixed package, the Security Team
   is permitted to work on a fixed version on their own.  Such a
   package will be handled similar to other non-maintainer uploads,
   except that the Security Team does not have to wait for a couple of
   weeks.  The rule still is "minimal changes only".

8. New subreleases of the stable distribution containing security
   updates will be prepared every one or two months, depending on the
   amount of security updates.  This will keep systems relatively up
   to date.  It will also keep proposed-updates and
   security.debian.org small.  An announcement will be made covering
   the new subrelease.

   The subrelease will be done by the Release Engineer or - if
   available - the Stable Release Manager and prepared in connection
   with the Security Team, who is responsible for security updates.



Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

Attachment: pgpL3PQj3sEWK.pgp
Description: PGP signature

Reply to: