some additions to the announcement

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@6934 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 49 insertions, 33 deletions

diff --git a/doc/bits_2007_10_x b/doc/bits_2007_10_x
index 6183a611c8..700629c5fe 100644
--- a/doc/bits_2007_10_x
+++ b/doc/bits_2007_10_x
@@ -4,30 +4,42 @@ We finally got around to sending this email to inform you about the
 current state of the Testing Security team and its work.
 
 If you at any stage have questions about the Testing Security team,
-please feel free to come to #debian-security on OFTC or ask one of the
-individual members of the team. A full member list can be found on
-http://www.debian.org/intro/organization.
+please feel free to come to #debian-security on OFTC or write an email to
+secure-testing-team@lists.alioth.debian.org .
+
+
+
+Security status of testing
+--------------------------
+
+Thanks to an increased size of our team, Debian Lenny is in good shape with
+respect to security and has been so for some time. We expect to be able to
+keep up this level of security support (at least) until the release of
+Debian lenny.
+
+There have been some problems with security support for testing in
+the weeks immediatly after the release of etch. We hope to improve our
+processes so that we won't run into the same problems after the release
+of lenny. There will be another announcement about the state of these
+efforts well before lenny's release.
+
+Our web page[0] has been updated to reflect the current status.
+
 
 
 New announcement mails
 ----------------------
 
-Because of the fact that most of the work that we do to move along
-security fixes ends up in the packages that automatically migrate from
-unstable to testing, this results in very little visibility of the
-work that our team does. We felt that a good way to fix this was by
-changing our security announcements.
-
 Previously we were mimicing the announcement method that Stable security
 uses by providing DTSAs (Debian Testing Security Advisories). However, 
 these were only prepared for issues that required us to manually prepare 
 package updates, thereby forcing a package into testing that would not 
 otherwise migrate automatically in a reasonable time-frame. This resulted 
-in very infrequent DTSAs because it was much easier to circumvent this
-mechanism for getting security packages into testing.
+in very infrequent DTSAs because most of the security issues were dealt
+with by fixed packages migrating from unstable to testing.
 
 Therefore, we set up daily announcements (delivered to the
-announcement mailinglist[0]), which include all new security fixes for
+announcement mailinglist[1]), which include all new security fixes for
 the testing distribution. Most commonly the email shows the migrated
 packages. If there has been a DTSA issued for a package, this will
 show up as well.
@@ -35,8 +47,8 @@ show up as well.
 In some rare cases, the Testing Security team asks the release
 managers to remove a package from testing, because a security fix in a
 reasonable amount of time seems to be unlikely and the package should
-not be offered in our opinion. In this case, the email will
-additionally include information about this case as well.
+not be part of testing in our opinion. In this case, the email will
+additionally include information about the removal.
 
 
 
@@ -50,21 +62,21 @@ have a CVE number yet, please contact the Testing Security team.  It
 is important to have a CVE id allocated, because they allow us to
 track the security problem in all Debian branches (including Debian
 stable).  When you upload a security fix to unstable, please also
-include the CVE id in your changelog and set the priority to high. The
+include the CVE id in your changelog and set the urgency to high. The
 tracker used by both the Testing and Stable Security teams, can be
-found on this webpage[1].
+found on this webpage[2].
 
 The main task of the Testing Security team is to review CVE id
 relevance to Debian, informing Debian maintainers by filing bugs to
 the BTS (if not already done) and chasing the security fix to move it
 faster into testing.  Whenever possible, we try to provide patches and
 sometimes also NMU the packages in unstable. Please do not regard an
-NMU by the Testing Security Team as a bad sign. We try to assist you
+NMU by the Testing Security team as a bad sign. We try to assist you
 in the best way to keep Debian secure. Also keep in mind that not all
 security related problems have a grave severity, so do not be
 surprised if a normal bug in the Debian BTS results in assigning a CVE
 id for it.  An up to date overview of unresolved issues in unstable
-can be found on the tracker website[2].
+can be found on the tracker website[3].
 
 
 
@@ -85,12 +97,12 @@ for migration or to prepare an upload to testing-security. For non-DDs,
 these uploads can be sponsored by every DD, preferable by a member of 
 the Testing Security team. If you get a go for an upload to 
 testing-security by one of us, please follow the guidelines on the 
-webpage[3]. If we feel the need to issue a DTSA and were not contacted 
+webpage[4]. If we feel the need to issue a DTSA and were not contacted 
 by the maintainer, we normally go ahead and upload ourselves, although 
 efforts by maintainer to be involved in this process is much preferred.
 
 An up to date overview of unresolved issues in testing can be found on
-the tracker website[4].
+the tracker website[5].
 
 
 
@@ -100,7 +112,7 @@ Embedded code copies
 There are a number of packages including source code from external
 libraries, for example poppler is included in xpdf, kpdf and others.
 To ensure that we don't miss any vulnerabilities in packages that do so
-we maintain a list[5] of embedded code copies in Debian. It is preferable
+we maintain a list[6] of embedded code copies in Debian. It is preferable
 that you do not embed copies of code in your packages, but instead link 
 against packages that already exist in the archive. Please contact us about
 any missing items you know about.
@@ -110,7 +122,7 @@ any missing items you know about.
 Some statistics
 ---------------
 
-* 32 DTSAs had been issued in 2007 so far for over 120 CVE ids
+* 35 DTSAs had been issued in 2007 so far for over 120 CVE ids
 * 33 NMUs were uploaded in the last two months to fix security flaws
 * 40 security related uploads migrated to testing in the last month
 * 5300 CVE ids had been processed by the team so far for this year
@@ -120,13 +132,16 @@ Some statistics
 New Testing Security Members
 ----------------------------
 
-Nico Golde (nion) and Steffen Joeris (white) have been added as new
-members of the Testing Security Team.
+New members are constantly added to the team. The most recent additions are
+Nico Golde, Steffen Joeris, and Thijs Kinkhorst. The circle of team members
+who may approve releases to the testing-security repository has also been
+enlarged by Stefan Fritsch (since May), and Nico Golde and Steffen Joeris
+(both added recently).
 
 If you are interested in joining the team, we always need more people,
-and its not very hard to contribute in very small ways that have large
+and it's not very hard to contribute in very small ways that have large
 impacts! Contact us if you are interested. You may want to also look at
-our helping page[6].
+our helping page[7].
 
 So far so good. We hope to keep you updated on testing security issues
 more regularly.
@@ -135,10 +150,11 @@ Yours,
 Testing Security team
 
 
-[0]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce
-[1]: http://security-tracker.debian.net/tracker/
-[2]: http://security-tracker.debian.net/tracker/status/release/unstable
-[3]: http://secure-testing-master.debian.net/uploading.html
-[4]: http://security-tracker.debian.net/tracker/status/release/testing
-[5]: http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
-[6]: http://secure-testing-master.debian.net/helping.html
+[0]: http://secure-testing-master.debian.net/
+[1]: http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce
+[2]: http://security-tracker.debian.net/tracker/
+[3]: http://security-tracker.debian.net/tracker/status/release/unstable
+[4]: http://secure-testing-master.debian.net/uploading.html
+[5]: http://security-tracker.debian.net/tracker/status/release/testing
+[6]: http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
+[7]: http://secure-testing-master.debian.net/helping.html