[Secure-testing-commits] r16978 - doc
Johnathan Ritzi
jrdioko-guest at alioth.debian.org
Mon Jul 25 03:48:49 UTC 2011
Author: jrdioko-guest
Date: 2011-07-25 03:48:49 +0000 (Mon, 25 Jul 2011)
New Revision: 16978
Modified:
doc/narrative_introduction
Log:
Additions to narrative_introduction file
Explicitly mention steps that should be taking before marking
an issue NFU. Mention to add a NOTE if there is any doubt.
Include links for making an unstable chroot. Clarify handling
of RFPs.
Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction 2011-07-25 03:39:54 UTC (rev 16977)
+++ doc/narrative_introduction 2011-07-25 03:48:49 UTC (rev 16978)
@@ -131,16 +131,49 @@
service ...)
NOT-FOR-US: Safari
+Before marking a package NOT-FOR-US, the following should be done:
+ - Read the full CVE description to determine the product name
+ - Search for the product using apt-cache search <name>
+ - If a file was referenced, search for the file using
+ apt-file search <name>
+ - Search the wnpp list (http://www.debian.org/devel/wnpp/) to see
+ if the product has an ITP or RFP (see "ITP/RFP packages" below)
+ - Search the ftp-master removal list
+ (http://ftp-master.debian.org/removals-full.txt) or the Package
+ Tracking System (http://packages.qa.debian.org/) to see if the
+ package was present in the past but was removed (see "Removed
+ packages" below)
+
+If there is any doubt, add a NOTE with your findings and ask others to
+double check.
+
There is a tool that helps with sorting out all the NOT-FOR-US issues:
See "bin/check-new-issues -h". For the search functions in
check-new-issues to work, you need to have unstable in your
sources.list and have done "apt-get update" and "apt-file update".
-Having libterm-readline-gnu-perl installed helps, too.
+Having libterm-readline-gnu-perl installed helps, too. If you are not
+running unstable, you can search at http://packages.debian.org or
+set up an unstable chroot:
-Please also make sure to check the wnpp list for possible <itp> items and
-the ftp-master removal list to see if the issue way maybe present in the past
-but the package was removed
+http://www.debian.org/doc/manuals/reference/ch09#_chroot_system
+http://wiki.debian.org/Debootstrap
+ITP/RFP packages
+----------------
+
+If it is a package that someone has filed an RFP or ITP for, then that
+is also noted, so it can be tracked to make sure that the issue is
+resolved before the package enters the archive. ITPs are marked with
+<itp>, while RFPs are simply mentioned in a NOTE:
+
+CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
+in Serendipity ...)
+ - serendipity <itp> (bug #312413)
+
+CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...)
+ NOT-FOR-US: Dokeos
+ NOTE: there is an RFP for Dokeos #433352
+
Reserved entries
----------------
@@ -163,18 +196,6 @@
CVE-2005-4129
REJECTED
-ITP packages
-------------
-
-If it is a package that someone has filed an RFP or ITP for, then that
-is also noted, so it can be tracked to make sure that the issue is
-resolved before the package enters the archive:
-
-CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
-in Serendipity ...)
- - serendipity <itp> (bug #312413)
-
-
Packages in the archive
-----------------------
More information about the Secure-testing-commits
mailing list