[Secure-testing-commits] r11654 - doc
Michael Gilbert
gilbert-guest at alioth.debian.org
Sun Apr 19 23:28:54 UTC 2009
Author: gilbert-guest
Date: 2009-04-19 23:28:54 +0000 (Sun, 19 Apr 2009)
New Revision: 11654
Modified:
doc/narrative_introduction
Log:
some updates to wording of the narrative_introduction
Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction 2009-04-19 23:27:56 UTC (rev 11653)
+++ doc/narrative_introduction 2009-04-19 23:28:54 UTC (rev 11654)
@@ -192,14 +192,25 @@
Bug numbers can be added as in the example above. To avoid duplicate bugs,
"bug filed" can be added instead of "bug #123456" when the bug report has
-been sent but the bug number is not yet known. The bug numbers are used
-to add additional references for the overview page and the Security Bug
-Tracker and they are parsed by a script that generates user tags "tracked"
-for the user debian-security at lists.debian.org. This way you can generate
-a BTS query for all issues in the BTS that are tagged "security" and are
-not yet added to our tracker:
+been sent but the bug number is not yet known (however, it is more
+desirable to file the bug, wait for the BTS to assign a number, then update
+the entry in the CVE list so that complete information is always available
+in the tracker). The bug number is important because it makes it clear
+that the maintainer has been contacted about the problem, and that they are
+aware of their responsibility to work swiftly toward a fix. The bug
+numbers are also used to add additional references for the overview page
+and the Security Bug Tracker. They are parsed by a script that generates
+user tags "tracked" for the user debian-security at lists.debian.org, which
+enables BTS users to generate a query for all of the issues that are tagged
+"security" but not yet added to the tracker:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security@lists.debian.org;exclude=tracked
+Since CVEs often drop in bulk, submission of multiple CVEs in a single bug
+report is permissable and encouraged. However, some maintainers have
+indicated a preference for only one issue per bug report. The following
+is a list of packages for which each CVE should be reported separately:
+ - php5
+
A special exception is made for kernel related issues. The kernel-sec
group will take care of them and file bugs if needed.
More information about the Secure-testing-commits
mailing list