Auditing For Package Maintainers

If you are the maintainer of a package which is contained in the Debian archive please consider looking over the code yourself.

The availability of source code auditing tools can ease this process significantly, even if you don't have the time to do a thorough audit yourself you can find areas which are potentially problematic.

If you require assistance, please contact either the Debian Security Team or the (public) debian-security mailing list for assistance on how to conduct a source code audit.

Sources for maintainers

Maintainers wishing to review source code might be interested in reading the Debconf6 paper Weeding out security bugs in Debian (slides) or the notes Short, practical overview on how to find a few common mistakes in programs written in various languages (both documents written by members of the audit project).

The Weeding out security bugs in Debian paper was presented in Debconf6, Mexico, and was part of a workshop. For maintainers new to auditing the sample code and the workshop videos might be useful.

New Releases

As part of being a responsive maintainer you should also be keeping an eye upon new releases of your package upstream. If the changelog mentions a security problem you should attempt to see if you have a version of the code in the stable distribution which is vulnerable.

If you do have a vulnerable version available in the stable distribution then please contact the security team - as described in the security team FAQ.