The manpower in the Testing Security team could be better currently. Steffen Joeris currently has no hardware to work because his machine broke and thus only 1-2 active people are currently left doing Testing Security work. Looking at the workload we have to handle we definitely need help.
the manpower in the Testing Security team could be better currently.
Steffen Joeris currently has no hardware to work because his machine broke and
thus only 1-2 active people are currently left doing Testing Security work.
Looking at the workload we have to handle we definitely need help.
That is why we call for help.
What we do:
The Testing Security team tracks each new CVE id and watches for security relevant
bugs arising in our BTS or security mailing lists. After gathering the information
about the specific problem we report bugs to the maintainers, track the issues in
the Debian Security Tracker and work on patches. If needed we also upload NMUs
to fix a security issue in unstable.
We also keep track of security issues in testing. Most of this is to watch if a
fix can migrate to testing in a reasonable time frame. We stay in close contact
with members of the release team to request urgency bumps if needed. If a
package is not going to migrate to testing in a few days we prepare uploads to the
testing-security distribution to make them available through the
security.debian.org archives and issue a DTSA (Debian Testing Security Advisory).
Looking for new members:
We are looking for new members to ensure a constant support for the testing and the
unstable branch. There requirements for this are (you don't need to fulfill them all to
- You need to be able to work with subversion as the tracker data is based on a subversion
- You must have some time to kill on a regular basis as new CVE id come in every 2-3 days.
- You need to have experience in at least common security mechanisms and flaws.
If you also want to help in preparing updates:
- You need to be fairly experienced in programming, both in understanding and writing code
as well as in backporting code from newer upstream releases. Of course you don't need to
understand every language in the archive, having a solid knowledge of one language is
also a great help.
- You need to be familiar with different build mechanisms of Debian packages.
So you don't need to match all of these requirements.
One important difference to the Stable Security team is that you don't necessarily need
to be a Debian developer to help us since the tracker is an alioth project and we can
add you to the alioth group with a normal account as well.
If you are willing to help us, please contact us via our mailing list or
visit us in #debian-security (oftc.net).
Any further information can be found on our homepage. Especially see our
help page and have a look into our narrative introduction.
On behalf of the Testing Security team