[Secure-testing-commits] r12800 - doc

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Sep 13 19:07:35 UTC 2009 

Author: gilbert-guest
Date: 2009-09-13 19:07:35 +0000 (Sun, 13 Sep 2009)
New Revision: 12800

Modified:
   doc/narrative_introduction
Log:
narrative_introduction
- update on removed-packages file
- clean up some formatting and grammar

Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction	2009-09-13 18:25:37 UTC (rev 12799)
+++ doc/narrative_introduction	2009-09-13 19:07:35 UTC (rev 12800)
@@ -60,8 +60,8 @@
 password twice. This is normal and to be expected. After successfully
 downloading, you will have a new directory called secure-testing. Inside
 this directory are a number of subdirectories.  The data directory is
-where we do most of our work.  If you don't have Alioth account, you can
-create one at:
+where we do most of our work.  If you don't have an Alioth account, you
+can create one at:
 
 https://alioth.debian.org/account/register.php
 
@@ -102,6 +102,7 @@
 
 Automatic Issue Updates
 -----------------------
+
 Twice a day a cronjob runs that pulls down the latest full CVE lists
 from Mitre, this automatically gets checked into data/CVE/list, and
 also syncs that file with other lists like data/DSA/list and
@@ -122,6 +123,7 @@
 
 Processing TODO entries
 -----------------------
+
 The Mitre update typically manifests in new CVE entries. So what we do
 is to update our svn repository and then edit data/CVE/list and look
 for new TODO entries. These will often be in blocks of 10-50 or so,
@@ -149,6 +151,7 @@
 
 Issues Not-For-Us (NFU)
 -----------------------
+
 Processing your claimed entries is done by first seeing if the issue
 is related to any software packaged in Debian, if it isn't a package
 in Debian and has no ITP then you note that in the file. Another case
@@ -175,6 +178,7 @@
 
 Reserved entries
 ----------------
+
 Several security problems have coordinated dates of public disclosure,
 i.e. a CVE identifier has been assigned to a problem, but it's not
 public yet. Also, several vendors have a pool of CVE ids they can
@@ -186,6 +190,7 @@
 
 Rejected entries
 ----------------
+
 Sometimes there are CVE assignments that later turn out to be duplicates,
 mistakes or non-issues. These items are reverted and turned into REJECTED
 entries:
@@ -195,6 +200,7 @@
 
 ITP packages
 ------------
+
 If it is a package that someone has filed an RFP or ITP for, then that
 is also noted, so it can be tracked to make sure that the issue is
 resolved before the package enters the archive:
@@ -206,6 +212,7 @@
 
 Packages in the archive
 -----------------------
+
 If it is a package in Debian, look to see if the package is affected or 
 not (sometimes newer versions that have the fixes have already been 
 uploaded). 
@@ -257,6 +264,9 @@
 <not-affected> is also used if a vulnerability was fixed before a
 package was uploaded into the Debian archive.
 
+Removed packages
+----------------
+
 Sometimes there are cases, where a vulnerability hasn't been fixed with
 a code change, but simply by deciding that a package is that broken that
 it needs to be removed from the archive entirely. This is tracked with
@@ -265,11 +275,6 @@
 CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
         - openwebmail <removed>
 
-After a new Debian release, some packages vanish from the database,
-and consistency checks might fail.  In this case, a single <removed>
-entry needs to be added to an input file, or the package name should
-be included in the data/packages/removed-packages file.
-
 Also note that it is sufficient to mark a package as removed in unstable.
 The tracker is aware of which package is present in which distribution
 and marks other distributions that still contain the package automagically
@@ -280,8 +285,16 @@
 
 will track oldstable as affected, but stable and unstable as not-affected.
 
+Once a package has been completely removed from all currently supported
+debian releases, it should be tracked in the data/packages/removed-packages
+file.  This file lists all packages (one source package per line) that were
+at one time in a debian release, but no longer exist in any supported
+version.  Additions to this file can be used to address failing consistency
+checks after a new release.
+
 Severity levels
 ---------------
+
 These levels are mostly used to prioritize the order in which security
 problems are resolved. Anyway, we have a rough overview on how you should
 assess these levels. 
@@ -326,6 +339,7 @@
 
 NOTE and TODO entries
 ---------------------
+
 There are many instances where more work has to be done to determine
 if something is affected, and you might not be able to do this at the
 time. These entries can have their TODO line changed to something
@@ -351,6 +365,7 @@
 
 CVE assignments
 ---------------
+
 Debian can only assign CVE names from its own pool for issues which
 are not public.  To request a CVE from the Debian pool, write to
 <security at debian.org> and include a description which follows CVE
@@ -374,6 +389,7 @@
 
 Distribution tags
 -----------------
+
 Our data is primarily targeted at sid, as we track the version that
 a certain issue was fixed in sid. The Security Tracker web site (see
 below) derives information about the applicability of a vulnerability
@@ -392,6 +408,7 @@
 
 Generated Reports
 -----------------
+
 All of this tracking information gets automatically parsed and
 compared against madison to determine what has been fixed and what is
 still waiting, this results in this website:
@@ -425,6 +442,7 @@
 
 The DSA list
 ------------
+
 We maintain a list of all DSA advisories issued by the stable security
 team. This information is used to derive information about the state
 of security problems for the stable and oldstable distribution. An
@@ -458,6 +476,7 @@
 
 Checking your changes
 ---------------------
+
 Commits are checked for syntax errors before they are actually committed,
 and you'll receive an error and your commit is aborted if it is in error.
 To check your changes yourself beforehand, use "make check-syntax" from
@@ -465,6 +484,7 @@
 
 Following up on security issues
 -------------------------------
+
 By simply loading this page and doing a little gardening of the
 different issues many things can be done. One thing is that you can
 read all the bug reports of each issue and see if new information has
@@ -499,6 +519,7 @@
 
 IRC Channel
 -----------
+
 We hang-out on #debian-security on OFTC, stop by the IRC channel if
 you'd like, also we can add you to the alioth project so you have svn
 write permission and you can test drive it on the testing issues for

More information about the Secure-testing-commits mailing list