3937
Comment: Drop /data/ postfix on the wiki, so that one can access the bin/ directory once checked out
|
3942
Fix reference to data/lts-needed.txt
|
Deletions are marked like this. | Additions are marked like this. |
Line 28: | Line 28: |
In order to prevent duplication of effort, make sure the issue is listed in [[https://anonscm.debian.org/viewvc/secure-testing/data/lts-needed.txt?view=log|lts-needed.txt]] and add your name to it. | In order to prevent duplication of effort, make sure the issue is listed in [[https://anonscm.debian.org/viewvc/secure-testing/data/lts-needed.txt?view=log|data/lts-needed.txt]] and add your name to it. |
Translation(s): English - Русский
Debian squeeze (6.0) LTS development
Add squeeze-lts to your sources.list
The information moved to LTS/Using.
Contribute
You can help in many ways
keep this wiki updated
Report Bugs
Please report bugs that you found in the packages to the debian-lts mailinglist
Preparing fixed packages for squeeze-lts
You need to be member of secure-testing alioth project; DDs should automatically be in that group. Unfortunately it still does not work to commit to the repository being a Debian Developer (which should, as the roles are set accordingly, but permissions are still broken on alioth). Source
Claim the issue in lts-needed.txt
In order to prevent duplication of effort, make sure the issue is listed in data/lts-needed.txt and add your name to it.
svn co svn+ssh://svn.debian.org/svn/secure-testing
Building the update
Backport the fix to the version in squeeze or squeeze-lts (in case there's already been an earlier update). You need to set the target distribution in debian/changelog to "squeeze-lts". The versioning follows the conventions already used in security.debian.org. Historically codenames have been used as version numbers, but this was changed some time ago as version numbers are more deterministic.
- If a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update.
- If a package hasn't seen an update, use +deb6u1 for the next update.
Now build the package and run your tests. You can generate a debdiff and post it to debian-lts@lists.debian.org for review.
Now test the fixed package. If you're satisfied, upload to ftp-master. If you use dput-ng, you need to apply the patch from 745806. After that "dput CHANGES file" is sufficient. Once uploaded the package will be auto-built for amd64 or i386 (if it's an arch:any package).
Claim an DLA ID in DLA/list
Run bin/gen-DLA in the top directory of the SVN repository. It automacatically generates an entry in data/DLA/list to ensure that no IDs are used twice. The following command would add an entry for src:hello fixing CVE-2014-0666 and creates an advisory template for you:
bin/gen-DLA --save hello CVE-2014-0666
After that commit your changed version of data/DLA/list
Announcing the update
Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Both PGP/MIME and inline signatures should be fine.
The advisory template has been created by bin/gen-DLA (see before) and generally looks like this:
Subject: [DLA-0023-1] SOURCEPACKAGENAME update
Debian Security Advisory DLA-0023-1 https://wiki.debian.org/LTS ---------------------------------------------------------------------------- Package : SOURCEPACKAGENAME Version : VERSIONOFFIX CVE ID : CVE-2014-0001 CVE-2014-0002 Debian Bug : 12345 Brief description of the issue. This can usually be copied from the DSA.
Recording the fix in the Debian Security Tracker
Finally the fix needs to be tracked in the Debian Security Tracker by adding a [squeeze] version tag, e.g. for GNUTLS:
CVE-2014-3466 RESERVED {DSA-2944-1} - gnutls26 2.12.23-16 - gnutls28 3.2.15-1 [squeeze] - gnutls26 2.8.6-1+squeeze4