diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2021-02-26 14:56:48 +0100 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2021-02-26 14:58:41 +0100 |
| commit | 4a9583f0db1075f64f736055b9a61dc4be87b9e2 (patch) | |
| tree | ee1fce58535ef8c3b80ac4f9c5defba917b6b413 /doc | |
| parent | 700b60185e976cde011aa64a417b69439852e960 (diff) | |
no-dsa triage page for the PTS (WIP)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/security-team.d.o/triage | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/doc/security-team.d.o/triage b/doc/security-team.d.o/triage new file mode 100644 index 0000000000..40766ccb99 --- /dev/null +++ b/doc/security-team.d.o/triage @@ -0,0 +1,33 @@ +Security updates affecting a released Debian suite can fall under three types: + +- The security issue(s) are important enough to warrant an out-of-band update released via security.debian.org which gets announced as a DSA. + These are getting announced via debian-security-announce and also redistributed via other sources (news feeds etc). + +- Low severity updates can be included in point releases, which are getting released every 2-3 months (any user using the -proposed-updates + mechanism can also use them before they get released). This provides a good balance between fixing low impact issues before the next stable + release, which can simply all be installed in one go when a point release happens. + +- Some issues are simply not worth fixing in a stable release (for multiple reasons, e.g. because they are mostly a PR hype, or because they + are mitigated in Debian via a different config or toolchain hardening). + +Every incoming security issues gets triaged. Security issues which are being flagged for the second category are being displayed in the +Debian Package Tracker (tracker.debian.org), in fact you might have been redirected from the PTS to his page. + +For every CVE listed there, there are three possible options: + +- Prepare an update for the next point release following: +https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions +If you CC team@security.debian.org for the release.debian.org bug, the fixed version will get recorded in the Debian Securiy Tracker. + +- Some packages have a steady flow of security issues and there's also the option to postpone an update to a later time, in other words +to get piggybacked to a future DSA for a more severe security issue or held back until a few more low severity issues are known. In the +Security Tracker these are tracked with the <postponed> state, often this means that a fix has been commited to e.g. a buster branch +in salsa, but no upload has been made yet. You can either send a mail to team@security.debian.org and we'll update the state or +you can also make the change yourself if you're familiar with the Security Tracker. + +- Some packages should rather not be fixed at all, e.g. because the possible benefit does not outweigh the risk/costs of an update +or because an update is not possible (e.g. as it would introduce behavioural not appropriate for a stable release). In the +Security Tracker these are tracked with the <ignored> state. You can either send a mail to team@security.debian.org and we'll update +the state or you can also make the change yourself if you're familiar with the Security Tracker. + +Any of the three actions above will make the CVE ID disappear from the "low severity" entry in the Security Tracker. |