This document documents the work of the Frugalware Security Team. Primarily it's for new developers or for existing developers who started to work in the Security Team.
The security team opens a new task in the BTS, with a [SEC] prefix.
The maintainer fixes the issue in -current and decides if the issue needs fixing in -stable or not. If yes, then changes the status of the task to "Fixed in -current", otherwise closes the task.
If there is no patch for the issue yet, then set the status to "Researching". This indicates that you, the maintainer knows the problem, just you don't have enough resources to fix it.
The security team regularly searches for "Fixed in -current" bugs, fixes the issue in -stable and releases a new FSA.
Check if the backport is ready (the binary packages should be uploaded for each arch).
Update the frugalware/xml/security.xml file in the homepage-ng repo and check if the mail is sent to the frugalware-security list. If not, then ask on -devel what can be the problem.
Subscribe to Secunia Security Advisories List at http://secunia.com/secunia_security_advisories/ page. This is the best place to notice issues.
Read the mails one-by-one and check if the advisory affects -current or -stable.
Open a task in BTS if necessary. Please fill in the form correctly, provide a patch if you can.
You can also read other mailing list, like https://lists.grok.org.uk/mailman/listinfo/full-disclosure, but secunia monitors them, so you won't miss anything. (You just notice things later.)
Secunia announces sec issues days after they released so there is a good chance to find a patch.
First of all sometimes upstream fixes it with a new version.
Fixed in cvs/svn/whatever and you are able to find the patch (unlike PHP)
If these two fails, there is http://security.ubuntu.com/ubuntu/pool. Secunia also mails you if the bug fixen in ubuntu, so steal the patch from them :) You only need the $package-$pkgver.diff.gz. There is a changelog in it, where you can find the filename of the fix.
It's also a good idea to take a look on redhat/gentoo bugzilla. They attach fixes most the time.
So it's good to read the secunia mails carefully as you'll always know when the patch is available.