Producing A Debian Security Advisory
These are my notes on how to release a security advisory for Debian GNU/Linux. These notes have now been updated to include correct instructions for the "new" dac new-security-install method, which is much simpler than the previous approach.
The process of releasing an advisory requires several distinct steps:
- Building the fixed package.
- Writing the advisory text.
- Creating website pages.
- Sending out the announcement to the mailing list.
There now follows a worked example of issuing DSA-1317-1 for "tinymux".
The packages were built as normal for a security upload, and then approved.
Package building
The package was built as normal for a security update, with only minimal changes.
Build approval
Once a package has been built the various buildd machines will send out emails with the build log/result. These mails must be replied to appropriately. To do this use the dpkg-approve-buildd tool.
Record The Patch
The patch which has been applied to the package should be copied into /org/security.debian.org/patches for future reference.
Note: You'll need to be a security team member, or secretary, to do this.
Run ``new-security-install``
The packages must be pushed out so that we can get a list of MD5 sums, etc.
Run:
skx@klecker:$ cd /org/security.debian.org/queue/embargoed/ skx@klecker:$ dak new-security-install DSA-1317 tinymux_2.4.3.31*etch1*.changes
Once this runs you'll be presented with a simple menu. There are two things you need to here - firstly press "E" to edit the advisory, making any changes you like, then press "A" to "accept" the packages.
The advisory created with the "E"dit advisory step will be saved in /org/security.debian.org/advisories/drafts/dsa-1317. This is a location from which you should be able to edit the draft, but not rename it or move it.
You might see errors which are related to a DSA already being used, this will manifest itself in errors like "Multiple advisories selected". To fix this run:
dak new-security-install --drop-advisory DSA-1234 package*.changes
Edit the advisory
The plain text advisory should have been created already, but you will need to fix it up a little bit. Two things you'll need to do:
- Update the text to match "recent" released advisories.
- Copy it somewhere safe with a name of the form "dsa-1317-1.package".
The file must have a name of the form "dsa-\d-\d.name" or the process of adding the advisory to the website will fail. Once you've renamed the file you can proceed to parsing the advisory and updating the website pages.
Parse Advisory
Once the template has been created run parse-advisory.pl to create the approriate WML files:
skx@klecker:~/webwml/english/security$ ./parse-advisory.pl ~/dsa-1317-1.tinymux .. ..
Add the two new files to the CVS repository:
cvs add 2007/dsa-1317.wml 2007/dsa-1317.data
Note: 1 - See here for details on working with the Debian website and using WML generally. You will need commit access to issue advisories.
Send the advisory mail
Mail the advisory template file to debian-security-announce@lists.debian.org with an appropriate subject.
The subject should be "[DSA XXXX-1] new xxx packages fix yyy". The advisory should also be saved into /org/security.debian.org/advisories/DSA for future reference.
Note: The template must be "gpg --clearsign"d, or the mail to the list will not be accepted.
Commit Files to CVS
Commit the new files to CVS, and update the .data file with a link to the debian-security-annnounce mail message - this will appear online about 20 minutes later.
Comments?
I think that I've included everything which is required, but I'll update if I realise I've missed any steps.