X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=developers-reference.sgml;h=53010fe55e062ba4f1cefe5dee1700af45a02e49;hb=e5dac6a9f044e6959f8007fdaf24ce8b04a8d467;hp=5ff3f5190397534ec79c564bae7ce161b627ec1e;hpb=41145695d172cd34975aba3921b411daf1a4a6f7;p=developers-reference.git diff --git a/developers-reference.sgml b/developers-reference.sgml index 5ff3f51..53010fe 100644 --- a/developers-reference.sgml +++ b/developers-reference.sgml @@ -6,7 +6,7 @@ %commondata; - + - What to do when you learn of a - security problem -

+

When you become aware of a security-related bug in a Debian package, whether or not you are the maintainer, collect pertinent information -about the problem, and promptly contact the security team at -&email-security-team;. -Useful information includes, for example: +about the problem, and promptly contact the security team at +&email-security-team; as soon as possible. Useful information +includes, for example: What versions of the package are known to be affected by the @@ -2025,7 +2153,11 @@ Useful information includes, for example: especially helpful) Any fixed packages that you have prepared yourself (send only - the .diff.gz and .dsc files) + the .diff.gz and .dsc files and read first) + + Any assistance you can provide to help with testing (exploits, + regression testing, etc.) Any information needed for the advisory (see ) @@ -2035,9 +2167,12 @@ Useful information includes, for example: Confidentiality

Unlike most other activities within Debian, information about security -issues must sometimes be kept private for a time. Whether this is the +issues must sometimes be kept private for a time. +This allows software distributors to coordinate their disclosure in +order to minimize their users' exposure. Whether this is the case depends on the nature of the problem and corresponding fix, and whether it is already a matter of public knowledge. +

There are a few ways a developer can learn of a security problem: @@ -2053,27 +2188,28 @@ There are a few ways a developer can learn of a security problem: possible options for dealing with the problem: - if it is a trivial problem (like insecure temporary files) - there is no need to keep the problem a secret and a fix should be - made and released. + If the security exposure is minor, there is sometimes no need + to keep the problem a secret and a fix should be made and released. - if the problem is severe (remotely exploitable, possibility to - gain root privileges) it is preferable to share the information with + If the problem is severe, it is preferable to share the + information with other vendors and coordinate a release. The security team keeps contacts with the various organizations and individuals and can take care of that.

- In all cases if the person who reports the problem asks to not - disclose the information that should be respected, with the obvious - exception of informing the security team (make sure you tell the - security team that the information can not be disclosed). + In all cases if the person who reports the problem asks that it not + be disclosed, such requests should be honored, with the obvious + exception of informing the security team in order that a fix may be + produced for a stable release of Debian. When sending confidential + information to the security team, be sure to mention this fact.

-Please note that if secrecy is needed you can also not upload a fix to -unstable (or anywhere else), since the changelog and diff information -for unstable is public. +Please note that if secrecy is needed you may not upload a fix to +unstable (or anywhere else, such as a public CVS repository). It is +not sufficient to obfuscate the details of the change, as the code +itself is public, and can (and will) be examined by the general public.

There are two reasons for releasing information even though secrecy is @@ -2083,27 +2219,34 @@ or exploit has become public. Security Advisories

Security advisories are only issued for the current, released stable -distribution, not for testing or unstable. When released, advisories +distribution, and not for testing or unstable. When released, +advisories are sent to the &email-debian-security-announce; + mailing list and posted on . Security advisories are written and posted by the security -team. However they certainly do not mind if a maintainer can supply -some of the information for them, or write part of the -text. Information that should be in an advisory includes: +team. However they certainly do not mind if a +maintainer can supply some of the information for them, or write part +of the text. Information that should be in an advisory includes: A description of the problem and its scope, including: The type of problem (privilege escalation, denial of service, etc.) + What privileges may be gained, and by whom (if any) How it can be exploited Whether it is remotely or locally exploitable How the problem was fixed + + This information allows users to assess the threat to their systems. + Version numbers of affected packages Version numbers of fixed packages Information on where to obtain the updated packages + (usually from the Debian security archive) References to upstream advisories, identifiers, and any other information useful in cross-referencing the vulnerability @@ -2113,16 +2256,17 @@ text. Information that should be in an advisory includes: Preparing packages to address security issues

One way that you can assist the security team in their duties is to -provide fixed packages suitable for a security advisory for the stable +provide them with fixed packages suitable for a security advisory for +the stable Debian release.

When an update is made to the stable release, care must be taken to avoid changing system behavior or introducing new bugs. In order to do this, make as few changes as possible to fix the bug. Users and administrators rely on the exact behavior of a release once it is - made, so any change that is made might break someone's system. - This is especially true of libraries: make sure you never change the - API or ABI, no matter how small the change. + made, so any change that is made might break someone's system. This + is especially true of libraries: make sure you never change the API or + ABI, no matter how small the change.

This means that moving to a new upstream version is not a good solution. Instead, the relevant changes should be back-ported to the @@ -2133,8 +2277,8 @@ Debian security team may be able to help. In some cases, it is not possible to back-port a security fix, for example when large amounts of source code need to be modified or rewritten. If this happens, it may be necessary to move to a new -upstream version. However, you must always coordinate that with the -security team beforehand. +upstream version. However, this is only done in extreme situations, +and you must always coordinate that with the security team beforehand.

Related to this is another important guideline: always test your changes. If you have an exploit available, try it and see if it @@ -2157,6 +2301,11 @@ When packaging the fix, keep the following points in mind: stable release, this is oldstable-security. Do not target distribution-proposed-updates! + Make descriptive, meaningful changelog entries. Others will + rely on them to determine whether a particular bug was fixed. + Whenever possible, include an external reference, preferably a CVE + identifier, so that it can be cross-referenced. + Make sure the version number is proper. It must be greater than the current package, but less than package versions in later distributions. If in doubt, test it with dpkg @@ -2181,7 +2330,7 @@ When packaging the fix, keep the following points in mind: normal archive, otherwise it is not possible to move the security fix into the main archives later. - Be sure, when compiling a package, to compile on a clean + Be sure to build the package on a clean system which only has packages installed from the distribution you are building for. If you do not have such a system yourself, you can use a debian.org machine (see ) @@ -2191,7 +2340,8 @@ When packaging the fix, keep the following points in mind: Uploading the fixed package

-DO NOT upload a package to the security upload queue without +DO NOT upload a package to the security upload queue +(oldstable-security, stable-security, etc.) without prior authorization from the security team. If the package does not exactly meet the team's requirements, it will cause many problems and delays in dealing with the unwanted upload. @@ -2226,7 +2376,6 @@ installed on security.debian.org as well as the proper distribution-proposed-updates on ftp-master or in the non-US archive. - Moving, removing, renaming, adopting, and orphaning packages @@ -2474,7 +2623,7 @@ Make sure your debian/rules contains separate ``binary-arch'' and ``binary-indep'' targets, as the Debian Policy Manual requires. Make sure that both targets work independently, that is, that you can call the target without having called the other before. To test this, -try to run dpkg-buildpackage -b. +try to run dpkg-buildpackage -B. @@ -3043,22 +3192,22 @@ documentation and examples (in /usr/share/doc/dpatch). Multiple binary packages

A single source package will often build several binary packages, -either to provide several flavors of the same software (examples are -the vim-* packages) or to make several small +either to provide several flavors of the same software (e.g., +the vim source package) or to make several small packages instead of a big one (e.g., if the user can install only the subset she needs, and thus save some disk space).

The second case can be easily managed in debian/rules. You just need to move the appropriate files from the build directory into the package's temporary trees. You can do this using -install (vanilla approach) or dh_install -(from debhelper). Be sure to check the different +install or dh_install +from debhelper. Be sure to check the different permutations of the various packages, ensuring that you have the inter-package dependencies set right in debian/control.

The first case is a bit more difficult since it involves multiple -recompiles of the same software but with different configure -options. The vim is an example of how to manage +recompiles of the same software but with different configuration +options. The vim source package is an example of how to manage this using an hand-crafted debian/rules file. + + + Best practices for maintainer scripts

Maintainer scripts include the files debian/postinst, @@ -3123,82 +3564,11 @@ not on the root partition. That is, it's in /usr/bin rather than /bin, so one can't use it in scripts which are run before the /usr partition is mounted. Most scripts won't have this problem, though. - - - - Best practices for debian/control -

-The following practices supplement the .

- - - Writing useful descriptions -

-The description of the package (as defined by the corresponding field -in the control file) is the primary information available -to the user about a package before they install it. It should provide -all the required information to let the user decide whether to install -the package. -

-The following practices supplement the . -

-The synopsis line (the short description) should primarily be concise. -You may capitalize the first letter for aesthetics. It is customary to -make the synopsis an appositive clause (not a full sentence) in which -case there's no need to put a full stop (period) at the end. -

-The long description should, however, always consist of full sentences. -

-Since the first user impression is based on the description, be -careful to avoid spelling and grammar mistakes. Ensure that you -spell-check it. ispell has a special -g option -for debian/control files: - -ispell -d american -g debian/control - -If you want someone to proofread the description that you -intend to use you may ask on &email-debian-l10n-english;. - - - - Upstream home page -

-We recommend that you add the URL for the package's home page to the -package description in debian/control. This information -should be added at the -end of description, using the following format: - - . - Homepage: http://some-project.some-place.org/ - -Note the spaces prepending the line, which serves to break the lines -correctly. To see an example of how this displays, see . -

-If there is no home page for the software, this should naturally be -left empty. -

-Note that we expect this field will eventually be replaced by a proper -debian/control field understood by dpkg and -&packages-host;. If you don't want to bother migrating the -home page from the description to this field, you should probably wait -until that is available.

- - - Configuration management with debconf -

Debconf is a configuration management system which can be used by all the various packaging scripts @@ -3382,154 +3752,28 @@ Lisp packages should register themselves with sympa may be an example package --> - Architecture-independent data -

- It is not uncommon to have a large amount of architecture-independent - data packaged with a program. For example, collection of icons, - wallpapers or other graphic files, or audio files. If the size of - this data is negligible compared to the size of the remainder of the - package, you can keep it all in the same package. - -

- However, if the size of the data is considerable, consider splitting - it out into a separate, architecture-independent package - ("_all.deb"). By doing this, you avoid needless duplication of the - same data into eleven or more .debs per each architecture. While - this adds some extra overhead into the Packages files, it can save a - lot of disk space on Debian mirrors, and it also reduces processing - time of Lintian or Linda when run over the entire Debian archive. - - + + Architecture-independent data +

+It is not uncommon to have a large amount of architecture-independent +data packaged with a program. For example, audio files, a collection +of icons, wallpaper patterns, or other graphic files. If the size of +this data is negligible compared to the size of the rest of the +package, it's probably best to keep it all in a single package. +

+However, if the size of the data is considerable, consider splitting +it out into a separate, architecture-independent package ("_all.deb"). +By doing this, you avoid needless duplication of the same data into +eleven or more .debs, one per each architecture. While this +adds some extra overhead into the Packages files, it +saves a lot of disk space on Debian mirrors. Separating out +architecture-independent data also reduces processing time of +lintian or linda (see ) +when run over the entire Debian archive. + - - Best practices for debian/changelog -

-The following practices supplement the .

- - - Writing useful changelog entries -

-The changelog entry for a package revision documents changes in that -revision, and only them. Concentrate on describing changes you did since -the last version that are worth mentioning. -

-Focus on what was changed; who, how and when are usually less -important. Having said that, remember to politely attribute people who have -provided notable help in making the package (e.g. those who have sent in -patches). -

-There's no need to elaborate the trivial and obvious changes. You can also -aggregate several such changes in one entry. However, don't be overly terse -if you have undertaken a major change. Be especially clear if there are -changes that affect the behaviour of the program -- and for further -explanations, use the README.Debian file. -

-Use common English language, one which the majority of viewers can -understand. Avoid abbreviations, "tech-speak" and jargon when explaining -changes that close bugs, especially if the said bugs were filed by users -that did not strike you as particularly techically savvy. Also, be polite, -don't swear. -

-It is customary to prefix changelog entries with the names of the files that -were changed. There's no need to explicitely list each and every last one of -the changed files, especially if the change was small or repetitive -- use -wildcard characters wisely. -

-When referring to bugs, don't assume anything -- say what the problem was, -how it was fixed, and append the "closes: #nnnnn" string. -See for more information. - - - Common misconceptions about changelog entries -

-The changelog entries should not document generic packaging -issues ("Hey, if you're looking for foo.conf, it's in /etc/blah/."), since -administrators and users are supposed to be at least remotely acquainted -with how such things are generally arranged on Debian systems. Do, however, -mention if you change the location of a configuration file. -

-The only bugs closed with a changelog entry should be those that are -actually fixed in the same package revision. Closing bugs unrelated bugs in -the changelog is considered very bad practice. See . -

-The changelog entries should not be used for random -discussion with bug reporters ("I don't see segfaults when starting foo -with option bar; send in more info.") or pleas for help ("The bug list -on this package is huge, please lend me a hand."). Such things usually -won't be noticed by their target audience, but will on the other hand -annoy people who wish to read information about actual changes in the -package. Please see for more information on -how to use the bug tracking system. -

-It is an old tradition to acknowledge bugs fixed in non-maintainer uploads -in the first changelog entry of the real maintainer. You don't have to -follow it, though: if you are certain that you will include the changes from -the NMU in your next release, you can simply close the bugs the normal way. -It's usually polite to note that the bugs were fixed by another developer. -

-Changelogs shouldn't include general statements on life, the universe and -everything ("Sorry this upload took me so long, but I caught the flu."). -Exceptions can be made if the comment is funny ;-) Obviously, this is -subjective, so it's likely best if it's kept out of technical documentation -such as changelogs. - - - Common errors in changelog entries -

- - * Fixed all outstanding bugs. - -

-This doesn't tell readers anything too useful, obviously. Don't do that(TM). - - - * Applied patch from Jane Random. - -

-What was the patch about? - - - * Late night install target overhaul. - -

-Overhaul which accomplished...? Is the mention of late night supposed to -remind us that we shouldn't trust that code? - - - * Fix vsync FU w/ ancient CRTs. - -

-Too many acronyms, and it's not overly clear what the fuckup (oops, -a curse word!) was actually about, or how it was fixed. - - - * This is not a bug. Closes: #nnnnnn - -

-First of all, there's absolutely no need to upload the package to convey -this information. Use the bug tracking system! Secondly, there's no -explanation as to why the report is not a bug. - - - * Has been fixed for ages, but I forgot to close. Closes: #54321 - -

-If for some reason you didn't mention the bug number in a previous changelog -entry, there's no problem, just close the bug normally in the BTS. There's -no need to touch the changelog file, presuming the description of the fix is -already in (this applies to the fixes by the upstream authors/maintainers as -well, you don't have to track bugs that they fixed ages ago in your -changelog). - - - * Closes: #12345, #12346, #15432 - -

-Where's the description?! If you can't think of a descriptive message, start -by inserting the title of each different bug. - + @@ -3545,21 +3789,39 @@ members in choosing what they want to work on and in choosing the most critical thing to spend their time on. - Bug reporting + Bug reporting

We encourage you to file bugs as you find them in Debian packages. In fact, Debian developers are often the first line testers. Finding and -reporting bugs in other developer's packages improves the quality of +reporting bugs in other developers' packages improves the quality of Debian.

+Read the in the Debian . +

Try to submit the bug from a normal user account at which you are -likely to receive mail. Do not submit bugs as root. +likely to receive mail, so that people can reach you if they need +further information about the bug. Do not submit bugs as root. +

+You can use a tool like to +submit bugs. It can automate and generally ease the process. +

+Make sure the bug is not already filed against a package. +Each package has a bug list easily reachable at +http://&bugs-host;/packagename +Utilities like can also +provide you with this information (and reportbug +will usually invoke querybts before sending, too). +

+Try to direct your bugs to the proper location. When for example +your bug is about a package that overwrites files from another package, +check the bug lists for both of those packages in order to +avoid filing duplicate bug reports.

-Make sure the bug is not already filed against a package. Try to do a -good job reporting a bug and redirecting it to the proper location. For extra credit, you can go through other packages, merging bugs -which are reported more than once, or setting bug severities to -`fixed' when they have already been fixed. Note that when you are +which are reported more than once, or tagging bugs `fixed' +when they have already been fixed. Note that when you are neither the bug submitter nor the package maintainer, you should not actually close the bug (unless you secure permission from the maintainer). @@ -3568,7 +3830,7 @@ From time to time you may want to check what has been going on with the bug reports that you submitted. Take this opportunity to close those that you can't reproduce anymore. To find out all the bugs you submitted, you just have to visit -http://&bugs-host;/from:<your-email-addr>. +http://&bugs-host;/from:<your-email-addr>. Reporting lots of bugs at once

@@ -3587,7 +3849,7 @@ will help prevent a situation in which several maintainers start filing the same bug report simultaneously.

Note that when sending lots of bugs on the same subject, you should -send the bug report to maintonly@bugs.debian.org so +send the bug report to maintonly@&bugs-host; so that the bug report is not forwarded to the bug distribution mailing list. @@ -3915,7 +4177,7 @@ written in Python rather than Perl.

debdiff

-debdiff (from the devscripts package) +debdiff (from the devscripts package, ) compares file lists and control files of two packages. It is a simple regression test, as it will help you notice if the number of binary packages has changed since the last upload, or if something's changed @@ -4190,7 +4452,8 @@ finalizing a version and listing the package's current bugs.

dpkg-depcheck

-dpkg-depcheck (from the devscripts package) +dpkg-depcheck (from the devscripts +package, ) runs a command under strace to determine all the packages that were used by the said command.

@@ -4275,6 +4538,9 @@ it.