[Secure-testing-commits] r16978 - doc

Johnathan Ritzi jrdioko-guest at alioth.debian.org
Mon Jul 25 03:48:49 UTC 2011


Author: jrdioko-guest
Date: 2011-07-25 03:48:49 +0000 (Mon, 25 Jul 2011)
New Revision: 16978

Modified:
   doc/narrative_introduction
Log:
Additions to narrative_introduction file

Explicitly mention steps that should be taking before marking
an issue NFU. Mention to add a NOTE if there is any doubt.
Include links for making an unstable chroot. Clarify handling
of RFPs.


Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction	2011-07-25 03:39:54 UTC (rev 16977)
+++ doc/narrative_introduction	2011-07-25 03:48:49 UTC (rev 16978)
@@ -131,16 +131,49 @@
 service ...)
    NOT-FOR-US: Safari
 
+Before marking a package NOT-FOR-US, the following should be done:
+    - Read the full CVE description to determine the product name
+    - Search for the product using apt-cache search <name>
+    - If a file was referenced, search for the file using
+      apt-file search <name>
+    - Search the wnpp list (http://www.debian.org/devel/wnpp/) to see
+      if the product has an ITP or RFP (see "ITP/RFP packages" below)
+    - Search the ftp-master removal list
+      (http://ftp-master.debian.org/removals-full.txt) or the Package
+      Tracking System (http://packages.qa.debian.org/) to see if the
+      package was present in the past but was removed (see "Removed 
+      packages" below)
+
+If there is any doubt, add a NOTE with your findings and ask others to
+double check.
+
 There is a tool that helps with sorting out all the NOT-FOR-US issues: 
 See "bin/check-new-issues -h". For the search functions in 
 check-new-issues to work, you need to have unstable in your 
 sources.list and have done "apt-get update" and "apt-file update". 
-Having libterm-readline-gnu-perl installed helps, too.
+Having libterm-readline-gnu-perl installed helps, too. If you are not
+running unstable, you can search at http://packages.debian.org or
+set up an unstable chroot:
 
-Please also make sure to check the wnpp list for possible <itp> items and
-the ftp-master removal list to see if the issue way maybe present in the past
-but the package was removed
+http://www.debian.org/doc/manuals/reference/ch09#_chroot_system
+http://wiki.debian.org/Debootstrap
 
+ITP/RFP packages
+----------------
+
+If it is a package that someone has filed an RFP or ITP for, then that
+is also noted, so it can be tracked to make sure that the issue is
+resolved before the package enters the archive. ITPs are marked with
+<itp>, while RFPs are simply mentioned in a NOTE:
+
+CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
+in Serendipity ...)
+        - serendipity <itp> (bug #312413)
+
+CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...)
+        NOT-FOR-US: Dokeos
+        NOTE: there is an RFP for Dokeos #433352
+
 Reserved entries
 ----------------
 
@@ -163,18 +196,6 @@
 CVE-2005-4129
         REJECTED
 
-ITP packages
-------------
-
-If it is a package that someone has filed an RFP or ITP for, then that
-is also noted, so it can be tracked to make sure that the issue is
-resolved before the package enters the archive:
-
-CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
-in Serendipity ...)
-        - serendipity <itp> (bug #312413)
-
-
 Packages in the archive
 -----------------------
 




More information about the Secure-testing-commits mailing list