3924
Comment: All DDs can now commit to the secure-testing repository
|
3564
|
Deletions are marked like this. | Additions are marked like this. |
Line 77: | Line 77: |
==== Recording the fix in the Debian Security Tracker ==== Finally the fix needs to be tracked in the Debian Security Tracker by adding a [squeeze] version tag, e.g. for GNUTLS: {{{ CVE-2014-3466 RESERVED {DSA-2944-1} - gnutls26 2.12.23-16 - gnutls28 3.2.15-1 [squeeze] - gnutls26 2.8.6-1+squeeze4 }}} |
Contents
Translation(s): English - Русский
Debian squeeze (6.0) LTS development
Add squeeze-lts to your sources.list
The information moved to LTS/Using.
Contribute
You can help in many ways
keep this wiki updated
Report Bugs
Please report bugs that you found in the packages to the debian-lts mailinglist
Preparing fixed packages for squeeze-lts
DDs have automatically commit access to the secure-testing repository. Otherwise you need to be member of secure-testing alioth project, please request membership trough the Alioth project page or through the debian-lts mailinglist.
Claim the issue in lts-needed.txt
In order to prevent duplication of effort, make sure the issue is listed in data/lts-needed.txt and add your name to it.
svn co svn+ssh://svn.debian.org/svn/secure-testing
Building the update
Backport the fix to the version in squeeze or squeeze-lts (in case there's already been an earlier update). You need to set the target distribution in debian/changelog to "squeeze-lts". The versioning follows the conventions already used in security.debian.org. Historically codenames have been used as version numbers, but this was changed some time ago as version numbers are more deterministic.
- If a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update.
- If a package hasn't seen an update, use +deb6u1 for the next update.
Now build the package and run your tests. You can generate a debdiff and post it to debian-lts@lists.debian.org for review.
Now test the fixed package. If you're satisfied, upload to ftp-master. If you use dput-ng, you need to apply the patch from 745806. After that "dput CHANGES file" is sufficient. Once uploaded the package will be auto-built for amd64 or i386 (if it's an arch:any package).
Claim an DLA ID in DLA/list
Run bin/gen-DLA in the top directory of the SVN repository. It automacatically generates an entry in data/DLA/list to ensure that no IDs are used twice. The following command would add an entry for src:hello fixing CVE-2014-0666 and creates an advisory template for you:
bin/gen-DLA --save hello CVE-2014-0666
After that commit your changed version of data/DLA/list
Announcing the update
Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Both PGP/MIME and inline signatures should be fine.
The advisory template has been created by bin/gen-DLA (see before) and generally looks like this:
Subject: [DLA-0023-1] SOURCEPACKAGENAME update
Debian Security Advisory DLA-0023-1 https://wiki.debian.org/LTS ---------------------------------------------------------------------------- Package : SOURCEPACKAGENAME Version : VERSIONOFFIX CVE ID : CVE-2014-0001 CVE-2014-0002 Debian Bug : 12345 Brief description of the issue. This can usually be copied from the DSA.