<!ENTITY % commondata SYSTEM "common.ent" > %commondata;
<!-- CVS revision of this document -->
- <!ENTITY cvs-rev "$Revision: 1.222 $">
+ <!ENTITY cvs-rev "$Revision: 1.226 $">
<!-- if you are translating this document, please notate the CVS
revision of the original developer's reference in cvs-en-rev -->
(<file>disks-i386</file>, <file>disks-m68k</file>, etc.).
- <sect1>Sections
+ <sect1 id="archive-sections">Sections
<p>
The <em>main</em> section of the Debian archive is what makes up the
<strong>official &debian-formal; distribution</strong>. The
Note also that if you upload via queues, the queue daemon software will
also send you a notification by email.
- <sect id="override-file">Determining section and priority of a package
+ <sect id="override-file">Specifying the package section, subsection and priority
<p>
The <file>debian/control</file> file's <tt>Section</tt> and
<tt>Priority</tt> fields do not actually specify where the file will
name="dpkg-scanpackages" section="8"> and
<url id="&url-bts-devel;#maintincorrect">.
<p>
-Note also that the term "section" is used for the separation of packages
-according to their licensing, e.g. <em>main</em>, <em>contrib</em> and
-<em>non-free</em>. This is described in another section, <ref id="archive">.
+Note that the <tt>Section</tt> field describes both the section as
+well as the subsection, which are described in <ref
+id="archive-sections">. If the section is "main", it should be
+omitted. The list of allowable subsections can be found in <url
+id="&url-debian-policy;ch-archive.html#s-subsections">.
<sect id="bug-handling">Handling bugs
When you become aware of a security-related bug in a Debian package,
whether or not you are the maintainer, collect pertinent information
about the problem, and promptly contact the security team at
-&email-security-team; as soon as possible. Useful information
-includes, for example:
+&email-security-team; as soon as possible. <strong>DO NOT UPLOAD</strong> any
+packages for stable; the security team will do that.
+
+Useful information includes, for example:
<list compact>
<item>What versions of the package are known to be affected by the
package. Test other, normal actions as well, as sometimes a security
fix can break seemingly unrelated features in subtle ways.
<p>
+Do <strong>NOT</strong> include any changes in your package which are
+not directly related to fixing the vulnerability. These will only
+need to be reverted, and this wastes time. If there are other bugs in
+your package that you would like to fix, make an upload to
+proposed-updates in the usual way, after the security advisory is
+issued. The security update mechanism is not a means for introducing
+changes to your package which would otherwise be rejected from the
+stable release, so please do not attempt to do this.
+<p>
Review and test your changes as much as possible. Check the
differences from the previous version repeatedly
(<prgn>interdiff</prgn> from the <package>patchutils</package> package
and <prgn>debdiff</prgn> from <package>devscripts</package> are useful
tools for this, see <ref id="debdiff">).
<p>
-When packaging the fix, keep the following points in mind:
+Be sure to verify the following items:
<list>
- <item>Make sure you target the right distribution in your
+ <item>Target the right distribution in your
<file>debian/changelog</file>. For stable this is <tt>stable-security</tt> and for
testing this is <tt>testing-security</tt>, and for the previous
stable release, this is <tt>oldstable-security</tt>. Do not target
<var>distribution</var>-proposed-updates or <tt>stable</tt>!
+ <item>The upload should have urgency=high.
+
<item>Make descriptive, meaningful changelog entries. Others will
rely on them to determine whether a particular bug was fixed.
Always include an external reference, preferably a CVE
not build those. This point applies to normal package uploads as
well.
- <item>If the upstream source has been uploaded to
+ <item>Unless the upstream source has been uploaded to
security.debian.org before (by a previous security update), build
- the upload without the upstream source (<tt>dpkg-buildpackage
- -sd</tt>). Otherwise, build with full source
- (<tt>dpkg-buildpackage -sa</tt>).
+ the upload with full upstream source (<tt>dpkg-buildpackage
+ -sa</tt>). If there has been a previous upload to
+ security.debian.org with the same upstream version, you may upload
+ without upstream source (<tt>dpkg-buildpackage -sd</tt>).
<item>Be sure to use the exact same <file>*.orig.tar.gz</file> as used in the
normal archive, otherwise it is not possible to move the security
fix into the main archives later.
- <item>Be sure to build the package on a clean
+ <item>Build the package on a clean
system which only has packages installed from the distribution you
are building for. If you do not have such a system yourself, you
can use a debian.org machine (see <ref id="server-machines">)