Debian Security Tools Packaging Team (pkg-security)


Interacting with the team

Usual roles

Task description

Maintain correctly all security related tools. Merge back tools packaged by security-oriented Debian derivatives.

How to join the team

Introduce yourself

Subscribe to our mailing list and ideally send a short introductory message presenting you and letting us know on what you'd like to work. If you have any questions at this stage, use this opportunity to ask your questions. You can also ask your questions on the IRC channel if you prefer.

Find something to contribute

If you don't exactly know where to start, here are a few suggestions, sorted by increasing difficulty:

In most cases, you will have to submit merge requests to submit the result of your work.

For entirely new packages, you can prepare the git repositories in your own account and then ask some team admin to copy them in the team's group. Or you can ask a team member to create the repository for you in the pkg-security-team group and then grant you access to this repository only.

Get commit rights

After you have done a few good contributions to the team, you probably want to have git commit rights to be able to push your work directly without having to submit merge requests.

If you are in this situation, please send a mail to the mailing list and give your username, one of the team administrators will add you as developer either to the pkg-security-team group or directly to the project where you are involved.

Packaging rules

Checking out all repositories

You can retrieve all repositories of the team:

$ sudo apt install myrepos
$ mr bootstrap pkg-security-team

Or you can do the same with the helper script provided in the pkg-security-team repository:

$ sudo apt install myrepos
$ git clone
$ cd pkg-security-team
$ bin/setup-team-repos

That repository also contain other helper scripts to create a new repository and to enforce common settings across all projects of the team.

Git packaging tool and repository layout

We use git-buildpackage with full sources stored in the repository and with pristine-tar to be able to retrieve the orig tarball out of the git repository. We strive to respect DEP-14 for the repository layout so the default branch should be "debian/master".

For a better experience you might want to set the following options in ~/.gbp.conf:

pristine-tar = True
cleaner = /bin/true

sign-tags = True
export-dir = ../build-area/
ignore-branch = True

filter-pristine-tar = True
debian-branch = debian/master

patch-numbers = False

multimaint-merge = True
ignore-branch = True

The "ignore-branch" is important so that git-buildpackage doesn't complain of the unexpected name of the packaging branch. The "export-dir" setting ensures builds are done on a separate copy of the sources, thus avoiding to pollute/break the git repository with build artifacts.

NOTE: This file is created automatically for you when you run bin/auto-update from the pkg-security-team repository.



NOTE: This file is created automatically for you when you run bin/auto-update from the pkg-security-team repository.

NOTE: Those settings can be applied by running bin/update-repos $repository_name from the pkg-security-team repository.

Creating new repositories

Salsa team's maintainers and owners can create new repositories. If you don't have the required permissions, feel free to ask for a new repository on the project mailing list. Someone will set it up for you and grant you full access to it.

When you create a new repository, you should configure it in the following way:

All this can be automated with "bin/create-repo" or "bin/update-repos" from the pkg-security-team project.

Packaging helper

We use the "dh" command provided by debhelper to ensure we have short but expressive debian/rules files.

Maintainer field

The Maintainer field should be set to Debian Security Tools <>. That way the package will be automatically added to the pkg-security team on and the discussion mailing list is not polluted with bug reports and all other maintainer emails.

NOTE: This changes is made automatically for you when you run bin/auto-update from the pkg-security-team repository.