%!postproc(html):  {{(.*?)}}  <\1>
%!include: menu.inc


== Inside the Debian Security Team ==

The Debian Security Team is responsible for producing updated packages and sending out alerts for all the security holes which affect the Stable release.

Currently there are five full members of the team, and two secretaries, which are listed in the [Debian Organizational Chart http://www.debian.org/intro/organization].

=== The Security Team Mailing Lists ===

The work of the security team is mostly conducted via a private mailing list, which has the email address of ``debian-security-private@lists.debian.org``, this is where discussion occurs about reported incidents and their fixes.

To make this list more public-friendly it receives all mail sent to the following two public addresses:

 - security@debian.org
 - team@security.debian.org


As reported in the [Debian Security FAQ http://www.debian.org/security/faq]  these addresses are used to report problems.


Finally there is another mailing list [debian-security-announce http://lists.debian.org/debian-security-announce/] which receives a new message every time a Debian Security Advisory is released.  

No discussion is possible on the security announcement list, and it is completely SPAM-free.  (All messages must be appropriately signed before they are accepted.)


== Vendor Coordination ==

An important external mailing list allows the Debian team to coordinate with other vendors of Linux, and Unix.  This is a closed mailing list called "``vendor-sec``".  This list is used for coordinating the disclosure and solutions to security issues.

**Update**: The security team also receives all comments which are sent to bugs in the [Debian bug tracking system http://bugs.debian.org] which are tagged "//security//". 

  - [ See all current Debian bugs tagged 'Security' http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security]

		
== Producing Alerts and Updated Packages ==

To release a security advisory two things are required:

 - A fixed version of the relevent package.
 - The text of a security advisory.

Producing a fixed version of a package requires either that a patch be publically available, be produced internally, or be published on the ``vendor-sec`` mailing list.

Once a patch is available then a package can be taken from the current Stable distribution, and be updated with it.

		
=== Uploading a fixed package === 

The fixed package should have three things in its changelog:

 - A target of "stable-security", and "urgency=high".
 - A mention that the package has been uploaded by the team.
 - A description of the problem which was fixed.


No changes other than those, and the actual security fix, should be allowed.  Once it is ready then the package is uploaded to a queue such that it can be rebuilt upon all available architechtures, currently this dupload configuration works:

```
$cfg{'security'} = {
	fqdn          => "security-master.debian.org",
	incoming      => "pub/SecurityUploadQueue",
	dinstall_runs => 1,
```

Patches which have been applied ot the package should be saved in the directory ``/org/security.debian.org/patches<``.

**Note:** don't even //think// about performing an upload to that queue yourself without reading the [Debian Security FAQ http://www.debian.org/security/faq].


== Releasing the Advisory ==

Once the package has been built then it is released along with a signed email to the [debian-security-announce http://lists.debian.org/debian-security-announce] list.

All messages posted to the ``debian-security-announce`` mailing list should have their follow-up set to [the debian-security mailing list http://lists.debian.org/debian-security] - so if there are problems they can be discussed.

The process of actually releasing a security advisory is [described in more detail here dsa.html].

{{/div}}

{{div id="sidecontent"}}

== Security Links ==

 - [Debian Security Pages http://security.debian.org/]
 - [Debian Security Announcements http://lists.debian.org/debian-security-announce/]



{{/div}}




%!include: footer.inc