-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Use of RT
=========
The Security Team is now using Request Tracker to coordinate
work
and our RT processes have already been refined a lot.
If you're a package maintainer working towards a security
update,
you're now encouraged to open a ticket directly. You will be
kept in
CC during the life time of the ticket. If you're opening a
ticket for
a security problem, which is not yet publicly known, e.g. if
you've
discovered it by yourself or if you have been contacted by
upstream,
please open a ticket in the "Security - Private"
queue. These
issues will only be visible by the Security Team.
If you're opening a ticket for a security problem which is
publicly
known, e.g. if it's announced on the project web site,
please open a
ticket in the "Security" queue. These issues will
be visible publicly.
Security Patch Test Program
===========================
We're planning to improve our quality assurance process for
security
updates by providing a public security update beta test
program in
addition to the existing QA done for security updates.
During the preparation of security updates, there's an
inherent delay
between the initial upload of the fixed packages and the
time until
the packages have been built on porter machines. This time
gap will be
used for a new security update beta program. The test
program will be
targeted at large installations, which install security
updates in a
test environment before installing them into the production
environment. This test group will be initially limited.
Public patch review
===================
To ease review of updates and increase transparency, a new
mailing
list is planned, on which the diffs made for a security
updates are
being posted. Anyone wishing to help implement this should
contact
team security.debian.org
Open issues for Lenny
======================
Some technical issues have been communicated to the release
managers,
which affect the release of Lenny and the packages
contained
within. Most of these will be handled through bug reports,
some of them
are already filed, so you should be aware of them already if
you
maintain such a package.
As an example some legacy libs will be phased out to reduce
the
security maintenance overhead (e.g. Gnome 1.x packages).
If there's anything you'd like to bring to our attention,
please
contact us at teamsecurity.debian.org
Minor security fixes as part of a stable point update
======================================================
Some security issues are not severe enough to be fixed
through a Debian
Security Advisory. Some of them might still be fixed through
the regular
point updates, where they cause less work for the
administrator installing
the updates. Nico Golde <niondebian.org> is
coordinating these updates
and can assist the respective maintainer in the necessary
procedures.
Looking for new Security Team Members
=====================================
We've recently extended our ranks by Thijs and Florian and
we're looking
for up to two more people to broaden our basis further. The
basic
requirements are:
* You need to have experience with security work before.
Please outline
what you've done in the past, both within and without
Debian.
* You must have time to kill. You'll need to be able to
dedicate
a chunk of time each week to this task, and be able to
keep
up with what's going on on a close to daily basis.
Also, please tell us, in which time zone you live and
during
which times you'll typically be able to communicate with
the
rest of us.
* Diligence is the key.
* You need to be an experienced programmer, both in
understanding
existing code and in creating / backporting patches.
You don't need to be able to understand every language in
our
archive (which is impossible), but tell us about your
existing
skill set.
* You need to be familiar with how the wide variety Debian
packages
are maintained, patched and built. If you're not scared
by
packages generating their patch series by applying sed
statements
from cdbs include files before passing the patches through
an
awk filter to quilt until they're finally built with yada,
you
might be the right person.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH1F6oXm3vHE4uyloRAqIMAJ4740p2hIVZCjrXRYbXu4stYln+6wCe
Pl4R
PUwZYf02EMKkV1ewXQ2Idc4=
=l0/0
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-devel-announce-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org
|