Debian Security Audit FAQ

This page lists some of the common questions visitors may have when hearing of this project for the first time.

What is the Debian Security Audit Project?

The Debian Security Audit Project is a small project conducted within the Debian project, designed to take a proactive stance towards security by performing source code audits of the packages available to Debian users.

The audit is focussed upon the Debian stable distribution, with the auditing work being directed by the package prioritization guidelines.

When was the Debian Security Audit Project started?

The first advisory was released in December 2002, followed by a series of additional advisories over time.

It continued in an unofficial capacity until being granted an official status in May 2004 by the Debian Project Leader, Martin Michlmayr.

Which advisories have resulted from the auditing effort?

There have been multiple advisories released as part of the auditing work, all those which were released before the project was given official status are listed in the Audit Advisories page.

It is hoped that in the near future, publicly-known advisories from the project after this time can be found by looking at the Debian Security Advisory reports and searching for Debian Security Audit Project.

Is all audit work related to advisories?

Actually no. There are many security issues that the audit process has found that are not immediately exploitable (they might, however, make a program crash). Some other exploitable security issues we've found were not present in Debian's official stable release but were present in the testing or unstable release. All of these are reported through Debian's bug tracking system (and in some cases directly to upstream authors).

Who has contributed to this work?

Steve Kemp started the Debian Security Audit project, creating its initial process, and tested it by finding many vulnerabilities.

Ulf Härnhammar joined during this early unofficial time and found several vulnerabilities which have since been fixed, Ulf was followed shortly afterward by Swaraj Bontula and Javier Fernández-Sanguino who also found several significant security problems.

David A. Wheeler goaded Steve Kemp into volunteering to lead it as an official Debian project, which was made possible by the involvement of Debian Project Leader Martin Michlmayr. David also made many helpful suggestions about the content of these pages, directly contributing several sections.

The Debian Security team have been very helpful in making auditing succeed by making sure that any vulnerabilities found are rapidly fixed and distributed to the world.

The following people have contributed at least one security advisory in the name of the project:

More contributors are always welcome!

How can I contribute?

If you have the time and skills necessary to audit a package then simply go ahead and do so!

The auditing overview should give you a good idea of how to go about the job — any additional questions you might have may be asked upon the debian-security mailing list.

Can I discuss specific packages upon the mailing list?

It's best if you do not name packages containing problems which you have discovered before a DSA has been released. As this allows malicious users to take advantage of any flaws you describe before they are fixed.

Instead the mailing list can be used to describe a piece of code and ask for opinions on whether it is exploitable, and how it may be fixed.

How can I contribute as a package maintainer?

Package maintainers can help ensure the security of the software that they package by looking over the code themselves, or asking for help.

Please see the auditing for package maintainers overview.

How do I report a problem I discover?

There is a section in the Security Team FAQ describing the process.

Are packages audited and found clean available?

No, packages which have been examined and had no problems found within them are not listed publicly.

This is partly because there may well be problems lurking which were missed and partly because the audits have been conducted by several people without a great deal of coordination.

Where can I find more information?

There is currently no mailing list you can subscribe to ask questions. For the time being, please use the debian-security mailing list.