<!ENTITY % commondata SYSTEM "common.ent" > %commondata;
<!-- CVS revision of this document -->
- <!ENTITY cvs-rev "$Revision: 1.222 $">
+ <!ENTITY cvs-rev "$Revision: 1.223 $">
<!-- if you are translating this document, please notate the CVS
revision of the original developer's reference in cvs-en-rev -->
package. Test other, normal actions as well, as sometimes a security
fix can break seemingly unrelated features in subtle ways.
<p>
+Do <strong>NOT</strong> include any changes in your package which are
+not directly related to fixing the vulnerability. These will only
+need to be reverted, and this wastes time. If there are other bugs in
+your package that you would like to fix, make an upload to
+proposed-updates in the usual way, after the security advisory is
+issued. The security update mechanism is not a means for introducing
+changes to your package which would otherwise be rejected from the
+stable release, so please do not attempt to do this.
+<p>
Review and test your changes as much as possible. Check the
differences from the previous version repeatedly
(<prgn>interdiff</prgn> from the <package>patchutils</package> package
and <prgn>debdiff</prgn> from <package>devscripts</package> are useful
tools for this, see <ref id="debdiff">).
<p>
-When packaging the fix, keep the following points in mind:
+Be sure to verify the following items:
<list>
- <item>Make sure you target the right distribution in your
+ <item>Target the right distribution in your
<file>debian/changelog</file>. For stable this is <tt>stable-security</tt> and for
testing this is <tt>testing-security</tt>, and for the previous
stable release, this is <tt>oldstable-security</tt>. Do not target
not build those. This point applies to normal package uploads as
well.
- <item>If the upstream source has been uploaded to
+ <item>Unless the upstream source has been uploaded to
security.debian.org before (by a previous security update), build
- the upload without the upstream source (<tt>dpkg-buildpackage
- -sd</tt>). Otherwise, build with full source
- (<tt>dpkg-buildpackage -sa</tt>).
+ the upload with full upstream source (<tt>dpkg-buildpackage
+ -sa</tt>). If there has been a previous upload to
+ security.debian.org with the same upstream version, you may upload
+ without upstream source (<tt>dpkg-buildpackage -sd</tt>).
<item>Be sure to use the exact same <file>*.orig.tar.gz</file> as used in the
normal archive, otherwise it is not possible to move the security
fix into the main archives later.
- <item>Be sure to build the package on a clean
+ <item>Build the package on a clean
system which only has packages installed from the distribution you
are building for. If you do not have such a system yourself, you
can use a debian.org machine (see <ref id="server-machines">)