From 7f2b8064fcbddda5c452be1a1be04723ebd42e1a Mon Sep 17 00:00:00 2001
From: lucas <lucas@313b444b-1b9f-4f58-a734-7bb04f332e8d>
Date: Thu, 22 Jan 2009 23:55:36 +0000
Subject: [PATCH] Update instructions on handling of security issues. (#512620,
 #510783)

git-svn-id: svn://anonscm.debian.org/ddp/manuals/trunk/developers-reference@5798 313b444b-1b9f-4f58-a734-7bb04f332e8d
---
 debian/changelog |   5 ++-
 pkgs.dbk         | 103 +++++++++++++++++++++++++++--------------------
 2 files changed, 64 insertions(+), 44 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index c3b6cc3..cf178b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,8 +36,11 @@ developers-reference (3.4.1) UNRELEASED; urgency=low
   * Updated documentation on translation updates.
     Thanks to Christian Perrier for the patch.
     Closes: #474879.
+  * Update instructions on handling of security issues.
+    Thanks to Thijs Kinkhorst for the patch.
+    Closes: #512620, #510783.
 
- -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Fri, 23 Jan 2009 00:36:50 +0100
+ -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Fri, 23 Jan 2009 00:45:13 +0100
 
 developers-reference (3.4.0) unstable; urgency=low
 
diff --git a/pkgs.dbk b/pkgs.dbk
index 4730898..e9b058a 100644
--- a/pkgs.dbk
+++ b/pkgs.dbk
@@ -827,15 +827,13 @@ outstanding security problems, helping maintainers with security problems or
 fixing them themselves, sending security advisories, and maintaining
 <literal>security.debian.org</literal>.
 </para>
-<!-- information about the security database goes here once it's ready -->
-<!-- (mdz) -->
 <para>
 When you become aware of a security-related bug in a Debian package, whether or
 not you are the maintainer, collect pertinent information about the problem,
 and promptly contact the security team at
 &email-security-team; as soon as possible.  <emphasis
-role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>;
- the security team will do that.  Useful information includes, for example:
+role="strong">DO NOT UPLOAD</emphasis> any packages for <literal>stable</literal>
+without contacting the team.  Useful information includes, for example:
 </para>
 <itemizedlist>
 <listitem>
@@ -870,6 +868,29 @@ linkend="bug-security-advisories"/> )
 </para>
 </listitem>
 </itemizedlist>
+<para>As the maintainer of the package, you have the responsibility to
+maintain it, even in the stable release. You are in the best position
+to evaluate patches and test updated packages, so please see the sections
+below on how to prepare packages for the Security Team to handle.</para>
+
+<section id="bug-security-tracker">
+<title>The Security Tracker</title>
+<para>
+The security team maintains a central database, the
+<ulink url="http://security-tracker.debian.net/">Debian Security Tracker</ulink>.
+This contains all public information that is known about security issues:
+which packages and versions are affected or fixed, and thus whether stable,
+testing and/or unstable are vulnerable. Information that is still confidential
+is not added to the tracker.
+</para>
+<para>
+You can search it for a specific issue, but also on package name. Look
+for your package to see which issues are still open. If you can, please provide
+more information about those issues, or help to address them in your package.
+Instructions are on the tracker web pages.
+</para>
+</section>
+
 <section id="bug-security-confidentiality">
 <title>Confidentiality</title>
 <para>
@@ -939,6 +960,10 @@ There are two reasons for releasing information even though secrecy is
 requested: the problem has been known for a while, or the problem or exploit
 has become public.
 </para>
+<para>
+The Security Team has a PGP-key to enable encrypted communication about
+sensitive issues. See the <ulink url="http://www.debian.org/security/faq.en.html#contact">Security Team FAQ</ulink> for details.
+</para>
 </section>
 
 <section id="bug-security-advisories">
@@ -1075,7 +1100,8 @@ Be sure to verify the following items:
 <itemizedlist>
 <listitem>
 <para>
-Target the right distribution in your <filename>debian/changelog</filename>.
+<emphasis role="strong">Target the right distribution</emphasis>
+in your <filename>debian/changelog</filename>.
 For <literal>stable</literal> this is <literal>stable-security</literal> and
 for testing this is <literal>testing-security</literal>, and for the previous
 stable release, this is <literal>oldstable-security</literal>.  Do not target
@@ -1085,67 +1111,58 @@ stable release, this is <literal>oldstable-security</literal>.  Do not target
 </listitem>
 <listitem>
 <para>
-The upload should have urgency=high.
+The upload should have <emphasis role="strong">urgency=high</emphasis>.
 </para>
 </listitem>
 <listitem>
 <para>
 Make descriptive, meaningful changelog entries.  Others will rely on them to
-determine whether a particular bug was fixed.  Always include an external
-reference, preferably a CVE identifier, so that it can be cross-referenced.
-Include the same information in the changelog for <literal>unstable</literal>,
-so that it is clear
-that the same bug was fixed, as this is very helpful when verifying that the
-bug is fixed in the next stable release.  If a CVE identifier has not yet been
-assigned, the security team will request one so that it can be included in the
-package and in the advisory.
+determine whether a particular bug was fixed.  Add <literal>closes:</literal>
+statements for any <emphasis role="strong">Debian bugs</emphasis> filed.
+Always include an external reference, preferably a <emphasis role="strong">CVE
+identifier</emphasis>, so that it can be cross-referenced. However, if a CVE
+identifier has not yet been assigned, do not wait for it but continue the
+process. The identifier can be cross-referenced later.
 </para>
 </listitem>
 <listitem>
 <para>
-Make sure the version number is proper.  It must be greater than the current
-package, but less than package versions in later distributions.  If in doubt,
-test it with <literal>dpkg --compare-versions</literal>.  Be careful not to
-re-use a version number that you have already used for a previous upload.  For
-<literal>testing</literal>, there must be a higher version in
-<literal>unstable</literal>.  If there is none yet (for example, if
-<literal>testing</literal> and <literal>unstable</literal> have the same
-version) you must upload a new version to <literal>unstable</literal> first.
-</para>
-</listitem>
-<listitem>
-<para>
-Do not make source-only uploads if your package has any binary-all packages (do
-not use the <literal>-S</literal> option to
-<command>dpkg-buildpackage</command>).  The <command>buildd</command>
-infrastructure will not build those.  This point applies to normal package
-uploads as well.
+Make sure the <emphasis role="strong">version number</emphasis> is proper. 
+It must be greater than the current package, but less than package versions in
+later distributions.  If in doubt, test it with <literal>dpkg
+--compare-versions</literal>.  Be careful not to re-use a version number that
+you have already used for a previous upload, or one that conflicts with a
+binNMU. The convention is to append
+<literal>+</literal><replaceable>codename</replaceable><literal>1</literal>, e.g.
+<literal>1:2.4.3-4+etch1</literal>, of course increasing 1 for any subsequent
+uploads.
 </para>
 </listitem>
 <listitem>
 <para>
 Unless the upstream source has been uploaded to <literal>security.debian.org
-</literal> before (by a previous security update), build the upload with full
-upstream source (<literal>dpkg-buildpackage -sa</literal>).  If there has been
-a previous upload to <literal>security.debian.org</literal> with the same
-upstream version, you may upload without upstream source (<literal>
-dpkg-buildpackage -sd</literal>).
+</literal> before (by a previous security update), build the upload <emphasis
+role="strong">with full upstream source</emphasis> (<literal>dpkg-buildpackage
+-sa</literal>).  If there has been a previous upload to
+<literal>security.debian.org</literal> with the same upstream version, you may
+upload without upstream source (<literal> dpkg-buildpackage -sd</literal>).
 </para>
 </listitem>
 <listitem>
 <para>
-Be sure to use the exact same <filename>*.orig.tar.gz</filename> as used in the
+Be sure to use the <emphasis role="strong">exact same
+<filename>*.orig.tar.gz</filename></emphasis> as used in the
 normal archive, otherwise it is not possible to move the security fix into the
 main archives later.
 </para>
 </listitem>
 <listitem>
 <para>
-Build the package on a clean system which only has packages installed from the
-distribution you are building for.  If you do not have such a system yourself,
-you can use a debian.org machine (see <xref linkend="server-machines"/> ) or
-setup a chroot (see <xref linkend="pbuilder"/> and <xref
-linkend="debootstrap"/> ).
+Build the package on a <emphasis role="strong">clean system</emphasis> which only
+has packages installed from the distribution you are building for. If you do not
+have such a system yourself, you can use a debian.org machine (see
+<xref linkend="server-machines"/> ) or setup a chroot (see
+<xref linkend="pbuilder"/> and <xref linkend="debootstrap"/> ).
 </para>
 </listitem>
 </itemizedlist>
@@ -1178,7 +1195,7 @@ archives.  For security uploads, the place to upload to is
 </para>
 <para>
 Once an upload to the security queue has been accepted, the package will
-automatically be rebuilt for all architectures and stored for verification by
+automatically be built for all architectures and stored for verification by
 the security team.
 </para>
 <para>
-- 
2.30.2