skx

Debian Developer: Steve Kemp

Inside the Debian Security Team

The Debian Security Team is responsible for producing updated packages and sending out alerts for all the security holes which affect the Stable release.

Currently there are five full members of the team, and two secretaries, which are listed in the Debian Organizational Chart.

The Security Team Mailing Lists

The work of the security team is mostly conducted via a private mailing list, which has the email address of debian-security-private@lists.debian.org, this is where discussion occurs about reported incidents and their fixes.

To make this list more public-friendly it receives all mail sent to the following two public addresses:

• security@debian.org
• team@security.debian.org

As reported in the Debian Security FAQ these addresses are used to report problems.

Finally there is another mailing list debian-security-announce which receives a new message every time a Debian Security Advisory is released.

No discussion is possible on the security announcement list, and it is completely SPAM-free. (All messages must be appropriately signed before they are accepted.)

Vendor Coordination

An important external mailing list allows the Debian team to coordinate with other vendors of Linux, and Unix. This is a closed mailing list called "vendor-sec". This list is used for coordinating the disclosure and solutions to security issues.

Update: The security team also receives all comments which are sent to bugs in the Debian bug tracking system which are tagged "security".

• See all current Debian bugs tagged 'Security'

Producing Alerts and Updated Packages

To release a security advisory two things are required:

• A fixed version of the relevent package.
• The text of a security advisory.
  Producing a fixed version of a package requires either that a patch be publically available, be produced internally, or be published on the vendor-sec mailing list.
  Once a patch is available then a package can be taken from the current Stable distribution, and be updated with it.

Uploading a fixed package

The fixed package should have three things in its changelog:

• A target of "stable-security", and "urgency=high".
• A mention that the package has been uploaded by the team.
• A description of the problem which was fixed.

No changes other than those, and the actual security fix, should be allowed. Once it is ready then the package is uploaded to a queue such that it can be rebuilt upon all available architechtures, currently this dupload configuration works:

$cfg{'security'} = {
	fqdn          => "security-master.debian.org",
	incoming      => "pub/SecurityUploadQueue",
	dinstall_runs => 1,

Patches which have been applied ot the package should be saved in the directory /org/security.debian.org/patches<.

Note: don't even think about performing an upload to that queue yourself without reading the Debian Security FAQ.

Releasing the Advisory

Once the package has been built then it is released along with a signed email to the debian-security-announce list.

All messages posted to the debian-security-announce mailing list should have their follow-up set to the debian-security mailing list - so if there are problems they can be discussed.

The process of actually releasing a security advisory is described in more detail here.

Security Links

• Debian Security Pages
• Debian Security Announcements