[Secure-testing-commits] r17008 - doc
Michael Gilbert
gilbert-guest at alioth.debian.org
Wed Jul 27 03:31:19 UTC 2011
Author: gilbert-guest
Date: 2011-07-27 03:31:18 +0000 (Wed, 27 Jul 2011)
New Revision: 17008
Modified:
doc/narrative_introduction
Log:
fix up some recent wording changes in the narrative doc
Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction 2011-07-27 03:22:14 UTC (rev 17007)
+++ doc/narrative_introduction 2011-07-27 03:31:18 UTC (rev 17008)
@@ -158,22 +158,20 @@
http://www.debian.org/doc/manuals/reference/ch09#_chroot_system
http://wiki.debian.org/Debootstrap
-ITP/RFP packages
-----------------
+Issues in ITP and/or RFP packages
+---------------------------------
-If it is a package that someone has filed an RFP or ITP for, then that
-is also noted, so it can be tracked to make sure that the issue is
-resolved before the package enters the archive. ITPs are marked with
-<itp>, while RFPs are simply mentioned in a NOTE:
+If an issue is discovered in a package that has an RFP or ITP already filed,
+then that is also noted in order to track the problem, and make sure it is
+resolved before the package enters the archive. These issues are marked with
+the <itp> tag. Note this includes both ITPs and RFPs since (from a security
+tracking standpoint) there is no advantage in tracking them in separate ways.
+An example entry for an ITP/RFP package is:
CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php
in Serendipity ...)
- serendipity <itp> (bug #312413)
-CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...)
- NOT-FOR-US: Dokeos
- NOTE: there is an RFP for Dokeos #433352
-
Reserved entries
----------------
@@ -473,9 +471,9 @@
After thoroughly researching each issue (as described above) and editing
the relevant files, commit your changes. Peer review is done via the
mailing list and IRC notifications (see "Automatic Issue Updates" above).
-However, changes to the tracker website itself (e.g. the files in bin/)
-should be vetted and approved before being committed. The preferred way
-to do this is to send a patch to the
+However, changes to the tracker website itself (e.g. the files in lib/*
+and bin/tracker_service.py) should be vetted and approved before being
+committed. The preferred way to do this is to send a patch to:
debian-security-tracker at lists.debian.org mailing list.
Commits are checked for syntax errors before they are actually committed,
More information about the Secure-testing-commits
mailing list