3470
Comment:
|
3508
you have to sign inline, actually
|
Deletions are marked like this. | Additions are marked like this. |
Line 59: | Line 59: |
Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Both PGP/MIME and inline signatures should be fine. | Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Please use inline signatures, the checking software does not play well with PGP/MIME yet. |
Contents
Translation(s): English - Русский
Debian squeeze (6.0) LTS development
Add squeeze-lts to your sources.list
The information moved to LTS/Using.
Contribute
You can help in many ways
keep this wiki updated
Report Bugs
Please report bugs that you found in the packages to the debian-lts mailinglist and put the person who prepared the update in copy (in case they are not subscribed to the list).
Preparing fixed packages for squeeze-lts
DDs have automatically commit access to the secure-testing repository. Otherwise you need to be member of secure-testing alioth project, please request membership trough the Alioth project page or through the debian-lts mailinglist.
Claim the issue in dla-needed.txt
In order to prevent duplication of effort, make sure the issue is listed in data/dla-needed.txt and add your name to it.
svn co svn+ssh://svn.debian.org/svn/secure-testing
Building the update
Backport the fix to the version in squeeze or squeeze-lts (in case there's already been an earlier update). You need to set the target distribution in debian/changelog to "squeeze-lts". The versioning follows the conventions already used in security.debian.org. Historically codenames have been used as version numbers, but this was changed some time ago as version numbers are more deterministic.
- If a package already e.g. had a +squeeze1 update, use +squeeze2 for the next update.
- If a package hasn't seen an update, use +deb6u1 for the next update.
Now build the package and run your tests. You can generate a debdiff and post it to debian-lts@lists.debian.org for review.
Now test the fixed package. If you're satisfied, upload to ftp-master. If you use dput-ng, you need to apply the patch from 745806. After that "dput CHANGES file" is sufficient. Once uploaded the package will be auto-built for amd64 or i386 (if it's an arch:any package).
Claim an DLA ID in DLA/list
Run bin/gen-DLA in the top directory of the SVN repository. It automacatically generates an entry in data/DLA/list to ensure that no IDs are used twice. The following command would add an entry for src:hello fixing CVE-2014-0666 and creates an advisory template for you:
bin/gen-DLA --save hello CVE-2014-0666
After that commit your changed version of data/DLA/list
Announcing the update
Now that the update has been released, send a mail to the debian-lts-announce mailing list. The mail needs to be signed by a PGP key in the debian.org or debian-maintainers keyring. Please use inline signatures, the checking software does not play well with PGP/MIME yet.
The advisory template has been created by bin/gen-DLA (see before) and generally looks like this:
Subject: [DLA $DLA-1] $SOURCEPACKAGENAME security update Package : $SOURCEPACKAGENAME Version : $squeeze_VERSION CVE ID : CVE-2014-0001 CVE-2014-0002 Debian Bug : 12345 DLA text goes here [...]