From 92d56bb42fe59011916dd95edcdb29469a3b2323 Mon Sep 17 00:00:00 2001 From: mdz Date: Thu, 29 Aug 2002 15:47:50 +0000 Subject: [PATCH] Update security instructions to specify that uploads should not be made to the security queue without approval Misc fixes and cleanups to security section git-svn-id: svn://anonscm.debian.org/ddp/manuals/trunk/developers-reference@1799 313b444b-1b9f-4f58-a734-7bb04f332e8d --- developers-reference.sgml | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/developers-reference.sgml b/developers-reference.sgml index 79a6049..b90515e 100644 --- a/developers-reference.sgml +++ b/developers-reference.sgml @@ -6,7 +6,7 @@ %commondata; - + + What to do when you learn of a security problem @@ -2744,10 +2745,12 @@ When packaging the fix, keep the following points in mind: new version to unstable first. Do not make source-only uploads if your package has any - binary-all packages. The buildd infrastructure will not build - those. This point applies to normal package uploads as well. + binary-all packages (do not use the -S option to + dpkg-buildpackage). The buildd infrastructure will + not build those. This point applies to normal package uploads as + well. - Always upload with full source (use the -sa option + Always build with full source (use the -sa option for dpkg-buildpackage). Be sure to use the exact same .orig.tar.gz as used in the @@ -2759,28 +2762,34 @@ When packaging the fix, keep the following points in mind: are building for. If you do not have such a system yourself, you can use a debian.org machine (see ) or setup a chroot (see and - ). + ). Uploading the fixed package -

-Once you have created and tested the new package, it needs to be -uploaded so it can be installed in the archives. For security uploads, -the place to upload to is +

+DO NOT upload a package to the security upload queue without +prior authorization from the security team. If the package does not +exactly meet the team's requirements, it will cause many problems and +delays in dealing with the unwanted upload. +

+Once you have created and tested the new package, and it has been +approved by the security team, it needs to be uploaded so that it can +be installed in the archives. For security uploads, the place to +upload to is ftp://security.debian.org/pub/SecurityUploadQueue/ .

-Once an upload to the security queue has been accepted the package +Once an upload to the security queue has been accepted, the package will automatically be rebuilt for all architectures and stored for verification by the security team.

-Uploads waiting for acceptance or verification are only accessible by -the security team. This is necessary since there might be fixes for -security problems that can not be disclosed yet. +Uploads which are waiting for acceptance or verification are only +accessible by the security team. This is necessary since there might +be fixes for security problems that cannot be disclosed yet.

-If a member of the security team accepts a package it will be +If a member of the security team accepts a package, it will be installed on security.debian.org as well as the proper distribution-proposed-updates on ftp-master or in the non-US archive. -- 2.30.2