Product SiteDocumentation Site

7.4. Debian 安全构建机制

因为当前的 Debian 支持大多数的平台, 管理员有时想知道是不是某一平台的安全更新比其它平台需要更多的时间. 事实上除了极罕见的情况外, 所有平台都是同事更新的.
Packages in the security archive are autobuilt, just like the regular archive. However, security updates are a little more different than normal uploads sent by package maintainers since, in some cases, before being published they need to wait until they can be tested further, an advisory written, or need to wait for a week or more to avoid publicizing the flaw until all vendors have had a reasonable chance to fix it.
Thus, the security upload archive works with the following procedure:
  • 有人发现了安全问题.
  • Someone fixes the problem, and makes an upload to's incoming (this someone is usually a Security Team member but can be also a package maintainer with an appropriate fix that has contacted the Security Team previously). The Changelog includes a testing-security or stable-security as target distribution.
  • 提交由一个 Debian 系统完成检查和处理, 然后将其转移到 queue/accepted, 并在 buildds 上通告. 这些文件可由安全小组和(间接的) buildds 访问.
  • Security-enabled buildds 对源码包进行整理, 打包, 然后将日志发送给安全小组.
  • 安全小组对日志做出回应, 最新构建的软件包将被上载到 queue/unchecked, 在这里它们由 Debian 系统统一处理, 然后转移到 queue/accepted.
  • 当安全小组发现源码包可以接受时(即,它可以在各种平台正确的构建, 并且修复了安全漏洞, 而自身不会产生新的问题), 他们将会运行一个脚本来完成:
    • 软件包安装到安全归档区.
    • updates the Packages, Sources and Release files of in the usual way (dpkg-scanpackages, dpkg-scansources, ...).
    • 设定安全小组完成的模板通告.
    • forwards the packages to the appropriate proposed-updates so that it can be included in the real archive as soon as possible.
早先由手工完成的这些工作, 被测试后进入处于冻结阶段的 Debian 3.0 woody(2002年7月). 感谢这种机制, 使得安全小组可以在不到一天的时间内为所有的(大约二十种)平台更新 apache 和 OpenSSH.

7.4.1. 安全更新的开发指南

Debian developers that need to coordinate with the security team on fixing in issue in their packages, can refer to the Developer's Reference section