<literal>unstable</literal>.
</para>
<para>
-Actually, there are two other possible distributions: <literal>stable-security</literal>
-and <literal>testing-security</literal>, but read
-<xref linkend="bug-security"/> for more information on those.
+Actually, there are other possible distributions:
+<replaceable>codename</replaceable><literal>-security</literal>,
+but read <xref linkend="bug-security"/> for more information on those.
</para>
<para>
It is not possible to upload a package into several distributions at the same
<title>Security uploads</title>
<para>
Do <emphasis role="strong">NOT</emphasis> upload a package to the security
-upload queue (<literal>oldstable-security</literal>, <literal>stable-security</literal>,
-etc.) without prior authorization from the security team. If the
+upload queue (on <literal>security-master.debian.org</literal>)
+without prior authorization from the security team. If the
package does not exactly meet the team's requirements, it will cause many
problems and delays in dealing with the unwanted upload. For details, please
see <xref linkend="bug-security"/>.
<para>
When you become aware of a security-related bug in a Debian package, whether or
not you are the maintainer, collect pertinent information about the problem,
-and promptly contact the security team, preferably by filing a ticket in
-their Request Tracker.
-See <ulink url="http://wiki.debian.org/rt.debian.org#Security_Team"></ulink>.
-Alternatively you may email &email-security-team;.
+and promptly contact the security team by emailing &email-security-team;. If
+desired, email can be encrypted with the Debian Security Contact key, see
+<ulink url="https://www.debian.org/security/faq#contact"/> for details.
<emphasis role="strong">DO NOT UPLOAD</emphasis> any packages for
<literal>stable</literal> without contacting the team. Useful information
includes, for example:
<listitem>
<para>
<emphasis role="strong">Target the right distribution</emphasis>
-in your <filename>debian/changelog</filename>.
-For <literal>stable</literal> this is <literal>stable-security</literal> and
-for <literal>testing</literal> this is <literal>testing-security</literal>, and for the previous
-stable release, this is <literal>oldstable-security</literal>. Do not target
-<replaceable>distribution</replaceable><literal>-proposed-updates</literal> or
+in your <filename>debian/changelog</filename>:
+<replaceable>codename</replaceable><literal>-security</literal>
+(e.g. <literal>wheezy-security</literal>).
+Do not target <replaceable>distribution</replaceable><literal>-proposed-updates</literal> or
<literal>stable</literal>!
</para>
</listitem>
--compare-versions</literal>. Be careful not to re-use a version number that
you have already used for a previous upload, or one that conflicts with a
binNMU. The convention is to append
-<literal>+</literal><replaceable>codename</replaceable><literal>1</literal>, e.g.
-<literal>1:2.4.3-4+lenny1</literal>, of course increasing 1 for any subsequent
+<literal>+deb</literal><replaceable>X</replaceable><literal>u1</literal> (where
+<replaceable>X</replaceable> is the major release number), e.g.
+<literal>1:2.4.3-4+deb7u1</literal>, of course increasing 1 for any subsequent
uploads.
</para>
</listitem>
<title>Uploading the fixed package</title>
<para>
Do <emphasis role="strong">NOT</emphasis> upload a package to the security
-upload queue (<literal>oldstable-security</literal>, <literal>stable-security</literal>,
-etc.) without prior authorization from the security team. If the
+upload queue (on <literal>security-master.debian.org</literal>)
+without prior authorization from the security team. If the
package does not exactly meet the team's requirements, it will cause many
problems and delays in dealing with the unwanted upload.
</para>
</para>
<para>
The version control system used by the previous maintainer might contain useful
-changes, so it might be a good idea to have a look there. Check if the control
+changes, so it might be a good idea to have a look there. Check if the <filename>control</filename>
file of the previous package contained any headers linking to the version
control system for the package and if it still exists.
</para>
<para>
-Package removals from unstable (not testing, stable or oldstable) trigger the
+Package removals from <literal>unstable</literal> (not <literal>testing</literal>,
+<literal>stable</literal> or <literal>oldstable</literal>) trigger the
closing of all bugs related to the package. You should look through all the
closed bugs (including archived bugs) and unarchive and reopen any that were
closed in a version ending in <literal>+rm</literal> and still apply. Any that
<itemizedlist>
<listitem>
<para>
-Does your NMU really fix bugs? Fixing cosmetic issues or changing the
-packaging style in NMUs is discouraged.
+Have you geared the NMU towards helping the maintainer? As there might
+be disagreement on the notion of whether the maintainer actually needs
+help on not, the DELAYED queue exists to give time to the maintainer to
+react and has the beneficial side-effect of allowing for independent
+reviews of the NMU diff.
+</para>
+</listitem>
+<listitem>
+<para>
+Does your NMU really fix bugs? ("Bugs" means any kind of bugs, e.g.
+wishlist bugs for packaging a new upstream version, but care should be
+taken to minimize the impact to the maintainer.) Fixing cosmetic issues
+or changing the packaging style (e.g. switching from cdbs to dh) in NMUs
+is discouraged.
</para>
</listitem>
<listitem>
<para>
Those delays are only examples. In some cases, such as uploads fixing security
-issues, or fixes for trivial bugs that blocking a transition, it is desirable
+issues, or fixes for trivial bugs that block a transition, it is desirable
that the fixed package reaches <literal>unstable</literal> sooner.
</para>
benefit of making it visually clear that a package in the archive was not made
by the official maintainer.
</para>
-
<para>
If you upload a package to testing or stable, you sometimes need to "fork" the
version number tree. This is the case for security uploads, for example. For
this, a version of the form
-<literal>+deb<replaceable>XY</replaceable>u<replaceable>Z</replaceable></literal>
-should be used, where <replaceable>X</replaceable> and
-<replaceable>Y</replaceable> are the major and minor release numbers, and
-<replaceable>Z</replaceable> is a counter starting at <literal>1</literal>.
-When the release number is not yet known (often the case for
-<literal>testing</literal>, at the beginning of release cycles), the lowest
-release number higher than the last stable release number must be used. For
-example, while Lenny (Debian 5.0) is stable, a security NMU to stable for a
-package at version <literal>1.5-3</literal> would have version
-<literal>1.5-3+deb50u1</literal>, whereas a security NMU to Squeeze would get
-version <literal>1.5-3+deb60u1</literal>. After the release of Squeeze, security
-uploads to the <literal>testing</literal> distribution will be versioned
-<literal>+deb61uZ</literal>, until it is known whether that release will be
-Debian 6.1 or Debian 7.0 (if that becomes the case, uploads will be versioned
-as <literal>+deb70uZ</literal>).
+<literal>+deb<replaceable>X</replaceable>u<replaceable>Y</replaceable></literal>
+should be used, where <replaceable>X</replaceable> is the major release number,
+and <replaceable>Y</replaceable> is a counter starting at <literal>1</literal>.
+For example, while Wheezy (Debian 7.0) is stable, a security NMU to stable for
+a package at version <literal>1.5-3</literal> would have version
+<literal>1.5-3+deb7u1</literal>, whereas a security NMU to Jessie would get
+version <literal>1.5-3+deb8u1</literal>.
</para>
</section>
~ianmdlvl / developers-reference.git / blobdiff