Differences between revisions 6 and 7
Revision 6 as of 2009-03-16 03:32:45
Size: 4226
Editor: anonymous
Comment: converted to 1.6 markup
Revision 7 as of 2009-08-11 15:41:14
Size: 4531
Editor: LucianoBello
Comment: tips from jmm private mail
Deletions are marked like this. Additions are marked like this.
Line 84: Line 84:

= Tips for the DSA body text =

 * The description of the issues shouldn't be taken from MITRE, they have too much crap in their data. Better look at the patch, that's usually simpler
 * Try to give credit to the discoverer where it's known, e.g. "John Woo discovered that an integer overflow...".

Releasing an update

There now follows a worked example of issuing DSA-1317-1 for "tinymux".

Run new-security-install:

skx@klecker:$ cd /org/security.debian.org/queue/embargoed

skx@klecker:$ dak new-security-install DSA-1317 tinymux_2.4.3.31*etch1*.changes

Once this runs you'll be presented with a simple menu. There are two things you need to here - firstly press "E" to edit the advisory, making any changes you like, then press "A" to "accept" the packages. The advisory created with the "E"dit advisory step will be saved in /org/security.debian.org/advisories/drafts/dsa-1317. This is a location from which you should be able to edit the draft, but not rename it or move it.

Note that the above editing feature isn't ready for production yet. This will hopefully be fixed soon.

Troubleshooting

"Multiple advisories selected"

You might see errors which are related to a DSA already being used, this will manifest itself in errors like "Multiple advisories selected". To fix this run: dak new-security-install --drop-advisory DSA-1234 package*.changes

binNMUs

When doing binNMUs to fix a build-issue with a security update, you also need to do a --drop-advisory. For example, for DSA-1364 we needed to upload new builds for alpha, mips, and mipsel:

dannf@klecker:/org/security.debian.org/queue/embargoed$ dak new-security-install --drop-advisory vim_6.3-071+1sarge2+b1_alpha.changes  vim_6.3-071+1sarge2+b1_mipsel.changes vim_6.3-071+1sarge2+b1_mips.changes
Non-dak user: dannf
Advisory: missing-archs-36
Changes:
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (mips)
Add vim_6.3-071+1sarge2+b1_alpha.changes to missing-archs-36? y
Add vim_6.3-071+1sarge2+b1_mipsel.changes to missing-archs-36? y
Advisory: missing-archs-36
Changes:
 vim_6.3-071+1sarge2+b1_mips.changes
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mipsel.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
dannf@klecker:/org/security.debian.org/queue/embargoed$ dak new-security-install DSA-1364-2 vim_6.3-071+1sarge2+b1_alpha.changes  vim_6.3-071+1sarge2+b1_mipsel.changes vim_6.3-071+1sarge2+b1_mips.changes
Non-dak user: dannf
Create new advisory DSA-1364-2? y
Advisory: DSA-1364-2
Changes:
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mipsel.changes
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
Approve, [E]dit advisory, Disembargo, Show advisory, Reject, Quit? a
Advisory: DSA-1364-2
Changes:
 vim_6.3-071+1sarge2+b1_mipsel.changes
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
Advisory in /org/security.debian.org/advisories/drafts/DSA-1364-2
Accepting packages...
Updating file lists for apt-ftparchive...
Updating Packages and Sources files...
Updating Release files...
Triggering security mirrors...
Uploading files to ftp-master.debian.org...
Uploading in the background

Creating website pages

Once the template has been created run parse-advisory.pl to create the approriate WML files: skx@klecker:~/webwml/english/security$ ./parse-advisory.pl ~/dsa-1317-1 .. ..

Add the two new files to the CVS repository: cvs add 2007/dsa-1317.wml 2007/dsa-1317.data

See TODO for details on working with the Debian website and using WML generally. You will need commit access to issue advisories.

TODO: Mention dsa-www script.

Sending out the announcement to the debian-security-announce

Mail the advisory template file to debian-security-announce@lists.debian.org with an appropriate subject.

The subject should be "[DSA XXXX-1] new xxx packages fix yyy"; it must start with "[DSA", otherwise the message is silently dropped. The is a signature cache to prevent replay attacks, so you need to make a new signature in case of an error. The signer must be a Debian Developer in the "security" group.

The advisory should also be saved into /org/security.debian.org/advisories/DSA for future reference.

Note: The template must be "gpg --clearsign"d, or the mail to the list will not be accepted.

Tips for the DSA body text

  • The description of the issues shouldn't be taken from MITRE, they have too much crap in their data. Better look at the patch, that's usually simpler
  • Try to give credit to the discoverer where it's known, e.g. "John Woo discovered that an integer overflow...".