Product SiteDocumentation Site

Capitolo 7. Infrastrutture per la sicurezza in Debian

7.1. Il Team Debian per la Sicurezza
7.2. Avvisi di sicurezza Debian
7.2.1. Riferimenti incrociati sulle vulnerabilità
7.2.2. Compatibilità con CVE
7.3. Security Tracker
7.4. La costruzione dell'infrastruttura di sicurezza in Debian
7.4.1. Guida degli sviluppatori agli aggiornamenti sulla sicurezza
7.5. Firma dei pacchetti in Debian
7.5.1. The current scheme for package signature checks
7.5.2. Apt sicuro
7.5.3. Controllo di rilascio per ogni distribuzione
7.5.4. Controllo della versione su fonti esterne a Debian
7.5.5. Un modello alternativo di firma per ciascun pacchetto

7.1. Il Team Debian per la Sicurezza

Debian has a Security Team, that handles security in the stable distribution. Handling security means they keep track of vulnerabilities that arise in software (watching forums such as Bugtraq, or vuln-dev) and determine if the stable distribution is affected by it.
Also, the Debian Security Team is the contact point for problems that are coordinated by upstream developers or organizations such as http://www.cert.org which might affect multiple vendors. That is, when problems are not Debian-specific. The contact point of the Security Team is mailto:team@security.debian.org which only the members of the security team read.
Sensitive information should be sent to the first address and, in some cases, should be encrypted with the Debian Security Contact key (as found in the Debian keyring).
Once a probable problem is received by the Security Team it will investigate if the stable distribution is affected and if it is, a fix is made for the source code base. This fix will sometimes include backporting the patch made upstream (which usually is some versions ahead of the one distributed by Debian). After testing of the fix is done, new packages are prepared and published in the http://security.debian.org site so they can be retrieved through apt (see Sezione 4.2, «Eseguire un aggiornamento per la sicurezza»). At the same time a Debian Security Advisory (DSA) is published on the web site and sent to public mailing lists including http://lists.debian.org/debian-security-announce and Bugtraq.
Potete trovare altre "risposte a domande frequenti" in Sezione 12.3, «Domande sul Team per la sicurezza di Debian».