LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Debian Developer's Guide to Security Updates

[Posted June 18, 2002 by corbet]

The new Debian Developer's Guide to Security Updates has been posted. It describes how a Debian maintainer should interact with the new security apparatus; it's interesting in that it provides a view into how one distributor handles security issues.

For the most part, it's fairly straightforward stuff. Some highlights:

  • Maintainers should always involve the "Security Team" in the fix. The Team keeps track of outstanding security issues, interacts with other distributors, writes the security advisories, etc. Among other things, the Team can help ensure that information on a remotely exploitable vulnerability is not released too soon.

  • Fixing a security hole by going to the latest version of the affected package is usually not seen as a good idea. A security fix should be done with the smallest possible change, which can mean backporting the fix to whatever older version Debian had shipped.

  • A special location has been set up for uploading security fixes; the updated package will then be automatically rebuilt for all architectures supported by Debian. The ability to provide updated packages for all architectures was, of course, a big part of the motivation behind the new security mechanism.

The full story can be found in the document, of course.

(Log in to post comments)

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds