Differences between revisions 63 and 64
Revision 63 as of 2014-08-29 18:09:42
Size: 3924
Editor: ?SalvatoreBonaccorso
Comment: All DDs can now commit to the secure-testing repository
Revision 64 as of 2014-09-02 19:20:56
Size: 3564
Editor: ?SalvatoreBonaccorso
Comment:
Deletions are marked like this. Additions are marked like this.
Line 77: Line 77:
==== Recording the fix in the Debian Security Tracker ====

Finally the fix needs to be tracked in the Debian Security Tracker by adding a [squeeze] version tag, e.g. for GNUTLS:

{{{
CVE-2014-3466
        RESERVED
        {DSA-2944-1}
        - gnutls26 2.12.23-16
        - gnutls28 3.2.15-1
        [squeeze] - gnutls26 2.8.6-1+squeeze4
}}}

Translation(s): English - Русский

Debian squeeze (6.0) LTS development

Add squeeze-lts to your sources.list

The information moved to LTS/Using.

Contribute

You can help in many ways

Report Bugs

Please report bugs that you found in the packages to the debian-lts mailinglist

Preparing fixed packages for squeeze-lts

DDs have automatically commit access to the secure-testing repository. Otherwise you need to be member of secure-testing alioth project, please request membership trough the Alioth project page or through the debian-lts mailinglist.

Claim the issue in lts-needed.txt

In order to prevent duplication of effort, make sure the issue is listed in data/lts-needed.txt and add your name to it.

svn co svn+ssh://svn.debian.org/svn/secure-testing

Building the update

Backport the fix to the version in squeeze or squeeze-lts (in case there's already been an earlier update). You need to set the target distribution in debian/changelog to "squeeze-lts". The versioning follows the conventions already used in security.debian.org. Historically codenames have been used as version numbers, but this was changed some time ago as version numbers are more deterministic.

  • If a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update.
  • If a package hasn't seen an update, use +deb6u1 for the next update.

Now build the package and run your tests. You can generate a debdiff and post it to debian-lts@lists.debian.org for review.

Now test the fixed package. If you're satisfied, upload to ftp-master. If you use dput-ng, you need to apply the patch from 745806. After that "dput CHANGES file" is sufficient. Once uploaded the package will be auto-built for amd64 or i386 (if it's an arch:any package).

Claim an DLA ID in DLA/list

Run bin/gen-DLA in the top directory of the SVN repository. It automacatically generates an entry in data/DLA/list to ensure that no IDs are used twice. The following command would add an entry for src:hello fixing CVE-2014-0666 and creates an advisory template for you:

 bin/gen-DLA --save hello CVE-2014-0666

After that commit your changed version of data/DLA/list

Announcing the update

Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Both PGP/MIME and inline signatures should be fine.

The advisory template has been created by bin/gen-DLA (see before) and generally looks like this:

Subject: [DLA-0023-1] SOURCEPACKAGENAME update

 Debian Security Advisory DLA-0023-1       
 https://wiki.debian.org/LTS
 ----------------------------------------------------------------------------
 Package        : SOURCEPACKAGENAME
 Version        : VERSIONOFFIX
 CVE ID         : CVE-2014-0001 CVE-2014-0002
 Debian Bug     : 12345

 Brief description of the issue. This can usually be copied from the DSA.


CategoryLts