Point Release Security Co-ordinator

In ‘Bits from the Security Team‘ a few weeks ago, Thijs Kinkhorst wrote:

Since a couple of years we’ve been handing off security issues of minor or
theoretical impact but for which a fix would be desirable at some point, like
certain classes of denial-of-service attacks, off to stable point updates.
We’re looking for a person that wants to coordinate this: monitor the Security
Tracker for issues classified as such by the Security Team, converse with
maintainers to get such updates done and coordinate with the stable release
managers on this.

I’m happy to confirm, now that it’s been announced, that I am that person: point release security co-ordinator.

Affected packages

If your package fulfils these criteria:

  • it had a security problem reported in the past (that is, it was allocated a CVE number);
  • it didn’t get a Debian Security Advisory, but it wasn’t marked “unimportant” in our tracker;
  • it has been fixed in unstable, but the version in stable or oldstable is still vulnerable

it is a candidate for updating in stable or oldstable, and you’ll probably receive a mail from me at some point asking you to do so.

You can pre-empt this mail of course, by backporting your fix to the affected versions and contacting the release team to get your fix into stable, without waiting for me. In such a case, please drop me a note with the details so I can tick your off on my hit^W candidate list.

Making a stable/oldstable upload

This is documented in the Developer’s Reference, but to summarise:

  1. Prepare your fix, targetting stable or oldstable, and build it in an up-to-date chroot for that release
  2. Send a diff of the new package to the release team, asking for permission to upload
  3. Upload as normal, and wait for it to be included in the next point release. Meanwhile, notify the security team of your upload, if it fixes a CVE.

Tracking candidate packages

I’m going to start off tracking filed bugs for SPU candidates and OSPU candidates with usertags in the BTS, under my own address. In time that might be merged into an address used by the security team, but for now I’m still finding a good workflow so it’s much easier this way.