Debian Security Audit FAQ
This page lists some of the common questions visitors may have when hearing of this project for the first time.
- What is the Debian Security Audit Project?
- When was the Debian Security Audit Project started?
- Which advisories have resulted from the auditing effort?
- Is all audit work related to advisories?
- Who has contributed to this work?
- How can I contribute?
- Can I discuss specific packages upon the mailing list?
- How can I contribute as a package maintainer?
- How do I report a problem I discover?
- Are packages audited and found clean available?
- Where can I find more information?
The Debian Security Audit Project is a small project conducted within the Debian project, designed to take a proactive stance towards security by performing source code audits of the packages available to Debian users.
The audit is focussed upon the Debian stable distribution, with the auditing work being directed by the package prioritization guidelines.
The first advisory was released in December 2002, followed by a series of additional advisories over time.
It continued in an unofficial capacity until being granted an
official status in May 2004 by the Debian Project Leader, Martin
There have been multiple advisories released as part of the auditing work, all those which were released before the project was given official status are listed in the Audit Advisories page.
It is hoped that in the near future, publicly-known advisories from
the project after this time can be found by looking at the Debian
Security Advisory reports and searching for
Debian Security Audit
Actually no. There are many security issues that the audit process has found that are not immediately exploitable (they might, however, make a program crash). Some other exploitable security issues we've found were not present in Debian's official stable release but were present in the testing or unstable release. All of these are reported through Debian's bug tracking system (and in some cases directly to upstream authors).
Steve Kemp started the Debian Security Audit project, creating its initial process, and tested it by finding many vulnerabilities.
Ulf Härnhammar joined during this early unofficial time and found several vulnerabilities which have since been fixed, Ulf was followed shortly afterward by Swaraj Bontula and Javier Fernández-Sanguino who also found several significant security problems.
David A. Wheeler goaded Steve Kemp into volunteering to lead it as an official Debian project, which was made possible by the involvement of Debian Project Leader Martin Michlmayr. David also made many helpful suggestions about the content of these pages, directly contributing several sections.
The Debian Security team have been very helpful in making auditing succeed by making sure that any vulnerabilities found are rapidly fixed and distributed to the world.
The following people have contributed at least one security advisory in the name of the project:
- Eduard Bloch
- Javier Fernandez-Sanguino Pena
- Max Vozeler
- Steve Kemp
- Swaraj Bontula
- Ulf Hãrnhammar
More contributors are always welcome!
If you have the time and skills necessary to audit a package then simply go ahead and do so!
It's best if you do not name packages containing problems which you have discovered before a DSA has been released. As this allows malicious users to take advantage of any flaws you describe before they are fixed.
Instead the mailing list can be used to describe a piece of code and ask for opinions on whether it is exploitable, and how it may be fixed.
Package maintainers can help ensure the security of the software that they package by looking over the code themselves, or asking for help.
Please see the auditing for package maintainers overview.
There is a section in the Security Team FAQ describing the process.
No, packages which have been examined and had no problems found within them are not listed publicly.
This is partly because there may well be problems lurking which were missed and partly because the audits have been conducted by several people without a great deal of coordination.
There is currently no mailing list you can subscribe to ask questions. For the time being, please use the debian-security mailing list.