Because of CVE-2015-0847 and CVE-2013-7441, two security issues in nbd-server, I've had to updates for nbd, for which there are various supported versions: upstream, unstable, stable, oldstable, oldoldstable, and oldoldstable-backports. I've just finished uploading security fixes for the various supported versions of nbd-server in Debian. There're various relevant archives, and unfortunately it looks like they all have their own way of doing things regarding security:
- For squeeze-lts (oldoldstable), you check out the secure-testing
repository, run a script from that repository that generates a DLA
number and email template, commit the result, and send a signed mail
(whatever format) to the relevant mailinglist. Uploads go to
ftp-master with
squeeze-lts
as target distribution. - For backports, you send a mail to the team alias requesting a BSA
number, do the upload, and write the mail (based on a template that
you need to modify yourself), which you then send (inline signed) to
the relevant mailinglist. Uploads go to ftp-master with
$dist-backports
as target distribution, but you need to be in a particular ACL to be allowed to do so. However, due to backports policy, packages should never be in backports before they are in the distribution from which they are derived -- so I refrained from uploading to backports until the regular security update had been done. Not sure whether that's strictly required, but I didn't think it would do harm; even so, that did mean the procedure for backports was even more involved. - For the distributions supported by the security team (stable and
oldstable, currently), you prepare the upload yourself, ask permission
from the security team (by sending a debdiff), do the upload, and then
ask the security team to send out the email. Uploads go to
security-master, which implies that you may have to use
dpkg-buildpackage
's-sa
parameter in order to make sure that the orig.tar.gz is actually in the security archive. - For unstable and upstream, you Just Upload(TM), because it's no different from a regular release.
While I understand how the differences between the various approaches have come to exist, I'm not sure I understand why they are necessary. Clearly, there's some room for improvement here.
As anyone who reads the above may see, doing an upload for squeeze-lts is in fact the easiest of the three "stable" approaches, since no intermediate steps are required. While I'm not about to advocate dropping all procedures everywhere, a streamlining of them might be appropriate.