--- Begin Message ---
Package: developers-reference
Severity: wishlist
Tags: patch
Hi,
Please find attached a patch to update the section on handling security
issues. I tried to bring some things more up to date, added a section on
the tracker, and added emphasis on the checks needed before you upload a
package.
I'm available for any comments or suggestions you have to improve it further.
thanks,
Thijs
Index: pkgs.dbk
===================================================================
--- pkgs.dbk (revision 5767)
+++ pkgs.dbk (working copy)
@@ -828,15 +828,13 @@
fixing them themselves, sending security advisories, and maintaining
<literal>security.debian.org</literal>.
</para>
-<!-- information about the security database goes here once it's ready -->
-<!-- (mdz) -->
<para>
When you become aware of a security-related bug in a Debian package, whether or
not you are the maintainer, collect pertinent information about the problem,
and promptly contact the security team at
&email-security-team; as soon as possible. <emphasis
-role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>;
- the security team will do that. Useful information includes, for example:
+role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>
+without contacting the team. Useful information includes, for example:
</para>
<itemizedlist>
<listitem>
@@ -871,6 +869,28 @@
</para>
</listitem>
</itemizedlist>
+<para>As the maintainer of the package, you have the responsibility to
+maintain it, even in the stable release. You are in the best position
+to evaluate patches and test updated packages, so please see the sections
+below on how to prepare packages for the Security Team to handle.</para>
+
+<section id="bug-security-tracker">
+<title>The Security Tracker</title>
+<para>
+The security team maintains a central database, the
+<url id="http://security-tracker.debian.net/"; name="Debian Security Tracker">.
+This contains all public information that is known about security issues:
+which packages and versions are affected or fixed, and thus whether stable,
+testing and/or unstable are vulnerable. Information that is still confidential
+is not added to the tracker.
+</para>
+<para>
+You can search it for a specific issue, but also on package name. Look
+for your package to see which issues are still open. If you can, please provide
+more information about those issues, or help to address them in your package.
+Instructions are on the tracker web pages.
+</para>
+
<section id="bug-security-confidentiality">
<title>Confidentiality</title>
<para>
@@ -940,6 +960,10 @@
requested: the problem has been known for a while, or the problem or exploit
has become public.
</para>
+<para>
+The Security Team has a PGP-key to enable encrypted communication about
+sensitive issues. See the <url id="http://www.debian.org/security/faq.en.html#contact";
+name="Security Team FAQ"> for details.
</section>
<section id="bug-security-advisories">
@@ -1076,7 +1100,8 @@
<itemizedlist>
<listitem>
<para>
-Target the right distribution in your <filename>debian/changelog</filename>.
+<emphasis role="strong">Target the right distribution</emphasis>
+in your <filename>debian/changelog</filename>.
For <literal>stable</literal> this is <literal>stable-security</literal> and
for testing this is <literal>testing-security</literal>, and for the previous
stable release, this is <literal>oldstable-security</literal>. Do not target
@@ -1086,67 +1111,58 @@
</listitem>
<listitem>
<para>
-The upload should have urgency=high.
+The upload should have <emphasis role="strong">urgency=high</emphasis>.
</para>
</listitem>
<listitem>
<para>
Make descriptive, meaningful changelog entries. Others will rely on them to
-determine whether a particular bug was fixed. Always include an external
-reference, preferably a CVE identifier, so that it can be cross-referenced.
-Include the same information in the changelog for <literal>unstable</literal>,
-so that it is clear
-that the same bug was fixed, as this is very helpful when verifying that the
-bug is fixed in the next stable release. If a CVE identifier has not yet been
-assigned, the security team will request one so that it can be included in the
-package and in the advisory.
+determine whether a particular bug was fixed. Add <literal>closes:</literal>
+statements for any <emphasis role="strong">Debian bugs</emphasis> filed.
+Always include an external reference, preferably a <emphasis role="strong">CVE
+identifier</emphasis>, so that it can be cross-referenced. However, if a CVE
+identifier has not yet been assigned, do not wait for it but continue the
+process. The identifier can be cross-referenced later.
</para>
</listitem>
<listitem>
<para>
-Make sure the version number is proper. It must be greater than the current
-package, but less than package versions in later distributions. If in doubt,
-test it with <literal>dpkg --compare-versions</literal>. Be careful not to
-re-use a version number that you have already used for a previous upload. For
-<literal>testing</literal>, there must be a higher version in
-<literal>unstable</literal>. If there is none yet (for example, if
-<literal>testing</literal> and <literal>unstable</literal> have the same
-version) you must upload a new version to <literal>unstable</literal> first.
+Make sure the <emphasis role="strong">version number</emphasis> is proper.
+It must be greater than the current package, but less than package versions in
+later distributions. If in doubt, test it with <literal>dpkg
+--compare-versions</literal>. Be careful not to re-use a version number that
+you have already used for a previous upload, or one that conflicts with a
+binNMU. The convention is to append
+<literal>+</literal><replaceable>codename</replaceable><literal>1</literal>, e.g.
+<literal>1:2.4.3-4+etch1</literal>, of course increasing 1 for any subsequent
+uploads.
</para>
</listitem>
<listitem>
<para>
-Do not make source-only uploads if your package has any binary-all packages (do
-not use the <literal>-S</literal> option to
-<command>dpkg-buildpackage</command>). The <command>buildd</command>
-infrastructure will not build those. This point applies to normal package
-uploads as well.
-</para>
-</listitem>
-<listitem>
-<para>
Unless the upstream source has been uploaded to <literal>security.debian.org
-</literal> before (by a previous security update), build the upload with full
-upstream source (<literal>dpkg-buildpackage -sa</literal>). If there has been
-a previous upload to <literal>security.debian.org</literal> with the same
-upstream version, you may upload without upstream source (<literal>
-dpkg-buildpackage -sd</literal>).
+</literal> before (by a previous security update), build the upload <emphasis
+role="strong">with full upstream source</emphasis> (<literal>dpkg-buildpackage
+-sa</literal>). If there has been a previous upload to
+<literal>security.debian.org</literal> with the same upstream version, you may
+upload without upstream source (<literal> dpkg-buildpackage -sd</literal>).
</para>
</listitem>
<listitem>
<para>
-Be sure to use the exact same <filename>*.orig.tar.gz</filename> as used in the
+Be sure to use the <emphasis role="strong">exact same
+<filename>*.orig.tar.gz</filename></emphasis> as used in the
normal archive, otherwise it is not possible to move the security fix into the
main archives later.
</para>
</listitem>
<listitem>
<para>
-Build the package on a clean system which only has packages installed from the
-distribution you are building for. If you do not have such a system yourself,
-you can use a debian.org machine (see <xref linkend="server-machines"/> ) or
-setup a chroot (see <xref linkend="pbuilder"/> and <xref
-linkend="debootstrap"/> ).
+Build the package on a <emphasis role="strong">clean system</emphasis> which only
+has packages installed from the distribution you are building for. If you do not
+have such a system yourself, you can use a debian.org machine (see
+<xref linkend="server-machines"/> ) or setup a chroot (see
+<xref linkend="pbuilder"/> and <xref linkend="debootstrap"/> ).
</para>
</listitem>
</itemizedlist>
@@ -1179,7 +1195,7 @@
</para>
<para>
Once an upload to the security queue has been accepted, the package will
-automatically be rebuilt for all architectures and stored for verification by
+automatically be built for all architectures and stored for verification by
the security team.
</para>
<para>
--- End Message ---
--- Begin Message ---
Source: developers-reference
Source-Version: 3.4.1
We believe that the bug you reported is fixed in the latest version of
developers-reference, which is due to be installed in the Debian FTP archive:
developers-reference-fr_3.4.1_all.deb
to pool/main/d/developers-reference/developers-reference-fr_3.4.1_all.deb
developers-reference_3.4.1.dsc
to pool/main/d/developers-reference/developers-reference_3.4.1.dsc
developers-reference_3.4.1.tar.gz
to pool/main/d/developers-reference/developers-reference_3.4.1.tar.gz
developers-reference_3.4.1_all.deb
to pool/main/d/developers-reference/developers-reference_3.4.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 512620@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Lucas Nussbaum <lucas@lucas-nussbaum.net> (supplier of updated developers-reference package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 Jan 2009 09:57:54 +0100
Source: developers-reference
Binary: developers-reference developers-reference-fr
Architecture: source all
Version: 3.4.1
Distribution: unstable
Urgency: low
Maintainer: Debian Documentation Project <debian-doc@lists.debian.org>
Changed-By: Lucas Nussbaum <lucas@lucas-nussbaum.net>
Description:
developers-reference - guidelines and information for Debian developers
developers-reference-fr - guidelines and information for Debian developers, in French
Closes: 367876 437392 464230 474879 480723 483227 485689 487664 492661 500371 510783 512529 512620
Changes:
developers-reference (3.4.1) unstable; urgency=low
.
[ Raphael Hertzog ]
* Create a publish target in the Makefile to reenable builds on the
website.
.
[ Lucas Nussbaum ]
* Commited DEP1: rework the whole NMU section.
The most important changes are:
+ NMUs are now explicitely allowed for all bugs, not just "serious bugs".
+ It is recommended to use the DELAYED queue, and some example delays are
provided.
Other fixes:
+ Describe the process of acknowleding NMUs in a way that works
with the BTS's version-tracking. Closes: #480723.
+ No longer mention that only DDs can do NMU. Don't make any
distinction. Closes: #464230.
+ Switch to +nmu for NMU versioning. Closes: #437392.
+ Mention nmudiff. Closes: #483227.
* Mention docbook-xml, and that debiandoc-sgml is deprecated. Thanks to
W. Martin Borgert for the patch. Closes: #485689.
* Fixed typo and example in the blurb about debug packages.
Thanks to Theppitak Karoonboonyanan for the patch.
Closes: #487664.
* Update instructions on the delayed queue.
Thanks to Thijs Kinkhorst for the patch.
Closes: #512529.
* Clarify wording about repackaged .orig.tar.gz.
Thanks to Cyril Brulebois for the patch.
Closes: #492661.
* Improved README.contrib. Mention command to checkout the SVN
version. Thanks to Christine Spang for the patch.
Closes: #500371.
* Document usertags. Thanks to Chris Lamb for the patch.
Closes: #367876.
* Updated documentation on translation updates.
Thanks to Christian Perrier for the patch.
Closes: #474879.
* Update instructions on handling of security issues.
Thanks to Thijs Kinkhorst for the patch.
Closes: #512620, #510783.
Checksums-Sha1:
e2e0f60edc116adc1c55acb84ff270b552418880 1192 developers-reference_3.4.1.dsc
eb86ddff8ccfa5dc8d3ea85d70dcf29af562ae1c 489980 developers-reference_3.4.1.tar.gz
6e2994a14d3651b941c4f7a58e47c90f1817c6df 685358 developers-reference_3.4.1_all.deb
4c0621a3280b186c26d5b6f7dd922f660325c32d 702314 developers-reference-fr_3.4.1_all.deb
Checksums-Sha256:
2fd54ef830b8c0bbb260ac535a8462bc1aa4012e480ce850d68100ac869ba9ea 1192 developers-reference_3.4.1.dsc
30132a0c0b10765c6516743ead860bfb05550bed12619bb7478b48b763fc0efa 489980 developers-reference_3.4.1.tar.gz
c218e6cbe0d0abc511d106a47a2286cc1c574a3fbda05042537ec7b7a9003cc7 685358 developers-reference_3.4.1_all.deb
3947c1bc6cc0796869321aca2453d30294ee59b5b1ee9728738d4e618825cce4 702314 developers-reference-fr_3.4.1_all.deb
Files:
67911dc0d510580fda2496c4e5bdeca3 1192 doc optional developers-reference_3.4.1.dsc
6051d4f5858aad05e47319e4da076900 489980 doc optional developers-reference_3.4.1.tar.gz
229df2d07fb4ea12d6504a2bff7cbfc4 685358 doc optional developers-reference_3.4.1_all.deb
716811451fea3e71ed1bb226d3fc4093 702314 doc optional developers-reference-fr_3.4.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJeY9b2hliNwI7P08RAnjpAKCkTyeh0GlrFZqPlhyUcoSPiOk+CACgzp35
9kyJNTvXHX69M2eb02LIIac=
=Dam2
-----END PGP SIGNATURE-----
--- End Message ---