Differences between revisions 9 and 10
Revision 9 as of 2009-08-20 00:17:46
Size: 5808
Editor: NicoGolde
Comment:
Revision 10 as of 2009-09-06 21:30:35
Size: 6273
Editor: NicoGolde
Comment:
Deletions are marked like this. Additions are marked like this.
Line 32: Line 32:

== Stable and oldstable sharing the same upstream tarball ==
If you upload e.g. oldstable and then the stable update which shares the same tarball dak will unfortunately reject the package as the tarball is already there (building with -sa also doesn't help, dak won't find the tarball in this case). As a workaround until this is fixed in dak you can move the tarball to a different location after uploading the first update and then upload the second update.

Releasing an update

There now follows a worked example of issuing DSA-1317-1 for "tinymux".

Run new-security-install:

skx@klecker:$ cd /org/security.debian.org/queue/embargoed

skx@klecker:$ dak new-security-install DSA-1317 tinymux_2.4.3.31*etch1*.changes

Once this runs you'll be presented with a simple menu. There are two things you need to here - firstly press "E" to edit the advisory, making any changes you like, then press "A" to "accept" the packages. The advisory created with the "E"dit advisory step will be saved in /org/security.debian.org/advisories/drafts/dsa-1317. This is a location from which you should be able to edit the draft, but not rename it or move it.

Note that the above editing feature isn't ready for production yet. This will hopefully be fixed soon. Most people write the advisory by hand and include the checksum and package list from the template later on. Make sure to edit the list, usually the template produces something like:

Debian GNU/Linux 4.0 alias etch
-------------------------------
Debian GNU/Linux 5.0 alias lenny
--------------------------------
Debian (oldstable)
------------------

Incomplete package builds

Make sure that you use a different DSA number for new-security-install in case architectures missed in the first update and you are pushing them afterwards. E.g. if s390 was missing before you could use DSA-1371-1s390. All numbers can only be used once by dak.

Troubleshooting

"Multiple advisories selected"

You might see errors which are related to a DSA already being used, this will manifest itself in errors like "Multiple advisories selected". To fix this run: dak new-security-install --drop-advisory DSA-1234 package*.changes

Stable and oldstable sharing the same upstream tarball

If you upload e.g. oldstable and then the stable update which shares the same tarball dak will unfortunately reject the package as the tarball is already there (building with -sa also doesn't help, dak won't find the tarball in this case). As a workaround until this is fixed in dak you can move the tarball to a different location after uploading the first update and then upload the second update.

Messing with dak files

In case you messed with the daq files or you built a binary-only package for a specific architecture on your own to circumvent buildd problems you can move the files back to /org/security.debian.org/queue/{unchecked,unchecked-disembargo} and dak will reprocess them.

binNMUs

When doing binNMUs to fix a build-issue with a security update, you also need to do a --drop-advisory. For example, for DSA-1364 we needed to upload new builds for alpha, mips, and mipsel:

dannf@klecker:/org/security.debian.org/queue/embargoed$ dak new-security-install --drop-advisory vim_6.3-071+1sarge2+b1_alpha.changes  vim_6.3-071+1sarge2+b1_mipsel.changes vim_6.3-071+1sarge2+b1_mips.changes
Non-dak user: dannf
Advisory: missing-archs-36
Changes:
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (mips)
Add vim_6.3-071+1sarge2+b1_alpha.changes to missing-archs-36? y
Add vim_6.3-071+1sarge2+b1_mipsel.changes to missing-archs-36? y
Advisory: missing-archs-36
Changes:
 vim_6.3-071+1sarge2+b1_mips.changes
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mipsel.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
dannf@klecker:/org/security.debian.org/queue/embargoed$ dak new-security-install DSA-1364-2 vim_6.3-071+1sarge2+b1_alpha.changes  vim_6.3-071+1sarge2+b1_mipsel.changes vim_6.3-071+1sarge2+b1_mips.changes
Non-dak user: dannf
Create new advisory DSA-1364-2? y
Advisory: DSA-1364-2
Changes:
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mipsel.changes
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
Approve, [E]dit advisory, Disembargo, Show advisory, Reject, Quit? a
Advisory: DSA-1364-2
Changes:
 vim_6.3-071+1sarge2+b1_mipsel.changes
 vim_6.3-071+1sarge2+b1_alpha.changes
 vim_6.3-071+1sarge2+b1_mips.changes
Packages:
 vim 1:6.3-071+1sarge2+b1 (alpha, mips, mipsel)
Advisory in /org/security.debian.org/advisories/drafts/DSA-1364-2
Accepting packages...
Updating file lists for apt-ftparchive...
Updating Packages and Sources files...
Updating Release files...
Triggering security mirrors...
Uploading files to ftp-master.debian.org...
Uploading in the background

Creating website pages

Once the template has been created run parse-advisory.pl to create the approriate WML files: skx@klecker:~/webwml/english/security$ ./parse-advisory.pl ~/dsa-1317-1 .. ..

After that you may want to add the link to the mail on lists.debian.org by hand in the .data file. It makes sense to wait until it popped up in the archive as in this case the script finds it on its own.

Add the two new files to the CVS repository: cvs add 2007/dsa-1317.wml 2007/dsa-1317.data

See TODO for details on working with the Debian website and using WML generally. You will need commit access to issue advisories.

TODO: Mention dsa-www script.

Sending out the announcement to the debian-security-announce

Mail the advisory template file to debian-security-announce@lists.debian.org with an appropriate subject.

The subject should be "[DSA XXXX-1] new xxx packages fix yyy"; it must start with "[DSA", otherwise the message is silently dropped. There is a signature cache to prevent replay attacks, so you need to make a new signature in case of an error. The signer must be a Debian Developer in the "security" group.

The advisory should also be saved into /org/security.debian.org/advisories/DSA for future reference.

Note: The template must be "gpg --clearsign"d, or the mail to the list will not be accepted.

Tips for the DSA body text

  • The description of the issues shouldn't be taken from MITRE, they have too much crap in their data. Better look at the patch and make sure you fully understand the issue and are able to write a text on your own, that's usually simpler and better
  • Try to give credit to the discoverer where it's known, e.g. "John Woo discovered that an integer overflow...".