Differences between revisions 52 and 53
Revision 52 as of 2014-06-22 09:44:19
Size: 3093
Editor: Kron
Comment:
Revision 53 as of 2014-07-14 14:54:34
Size: 3890
Editor: HolgerLevsen
Comment: explain how to claim and use an DLA
Deletions are marked like this. Additions are marked like this.
Line 24: Line 24:
You need to be member of secure-testing alioth project. Unfortunately it still does not work to commit to the repository being a Debian Developer (which should, as the roles are set accordingly, but permissions are still broken on alioth). [[https://lists.debian.org/debian-lts/2014/06/msg00107.html|Source]]
Line 28: Line 30:
You need to be member of secure-testing alioth project. Unfortunately it still does not work to commit to the repository being a Debian Developer (which should, as the roles are set accordingly, but permissions are still broken on alioth). [[https://lists.debian.org/debian-lts/2014/06/msg00107.html|Source]] ==== Claim an DLA ID in DLA/list ====

In order to easily reference updates, make sure to claim an DLA ID in [[https://anonscm.debian.org/viewvc/secure-testing/data/DLA/list?view=log|DLA/list]] and describe the update there. (You will also need to update this entry once you've uploaded the package.)

(In future we should refactor bin/gen-DSA to also support generating DLAs.)
Line 46: Line 52:
Please use a DLA-ID as taken from [[https://anonscm.debian.org/viewvc/secure-testing/data/DLA/list?view=log|DLA/list]] and please update that file after uploading, to document the changes and upload date.

Subject: [DLA 0023-1] SOURCEPACKAGENAME update
Line 47: Line 57:
 Debian Security Advisory DLA-0023-1
 https://wiki.debian.org/LTS
 ----------------------------------------------------------------------------

Translation(s): English - Русский

Debian squeeze (6.0) LTS development

Add squeeze-lts to your sources.list

The information moved to LTS/Using.

Contribute

You can help in many ways

Report Bugs

Please report bugs that you found in the packages to the debian-lts mailinglist

Preparing fixed packages for squeeze-lts

You need to be member of secure-testing alioth project. Unfortunately it still does not work to commit to the repository being a Debian Developer (which should, as the roles are set accordingly, but permissions are still broken on alioth). Source

Claim the issue in lts-needed.txt

In order to prevent duplication of effort, make sure the issue is listed in lts-needed.txt and add your name to it.

Claim an DLA ID in DLA/list

In order to easily reference updates, make sure to claim an DLA ID in DLA/list and describe the update there. (You will also need to update this entry once you've uploaded the package.)

(In future we should refactor bin/gen-DSA to also support generating DLAs.)

Building the update

Backport the fix to the version in squeeze or squeeze-lts (in case there's already been an earlier update). You need to set the target distribution in debian/changelog to "squeeze-lts". The versioning follows the conventions already used in security.debian.org. Historically codenames have been used as version numbers, but this was changed some time ago as version numbers are more deterministic.

  • If a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update.
  • If a package hasn't seen an update, use +deb6u1 for the next update.

Now build the package and run your tests. You can generate a debdiff and post it to debian-lts@lists.debian.org for review.

Now test the fixed package. If you're satisfied, upload to ftp-master. If you use dput-ng, you need to apply the patch from 745806. After that "dput CHANGES file" is sufficient. Once uploaded the package will be auto-built for amd64 or i386 (if it's an arch:any package).

Announcing the update

Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Both PGP/MIME and inline signatures should be fine.

Please use a DLA-ID as taken from DLA/list and please update that file after uploading, to document the changes and upload date.

Subject: [DLA 0023-1] SOURCEPACKAGENAME update

 Debian Security Advisory DLA-0023-1       
 https://wiki.debian.org/LTS
 ----------------------------------------------------------------------------
 Package        : SOURCEPACKAGENAME
 Version        : VERSIONOFFIX
 CVE ID         : CVE-2014-0001 CVE-2014-0002
 Debian Bug     : 12345

 Brief description of the issue. This can usually be copied from the DSA.

Recording the fix in the Debian Security Tracker

Finally the fix needs to be tracked in the Debian Security Tracker by adding a [squeeze] version tag, e.g. for GNUTLS:

CVE-2014-3466
        RESERVED
        {DSA-2944-1}
        - gnutls26 2.12.23-16
        - gnutls28 3.2.15-1
        [squeeze] - gnutls26 2.8.6-1+squeeze4


CategoryLts