[Secure-testing-commits] r17015 - doc
Michael Gilbert
gilbert-guest at alioth.debian.org
Thu Jul 28 05:08:01 UTC 2011
Author: gilbert-guest
Date: 2011-07-28 05:08:01 +0000 (Thu, 28 Jul 2011)
New Revision: 17015
Modified:
doc/narrative_introduction
Log:
document <undetermined>
Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction 2011-07-27 21:14:21 UTC (rev 17014)
+++ doc/narrative_introduction 2011-07-28 05:08:01 UTC (rev 17015)
@@ -158,6 +158,41 @@
http://www.debian.org/doc/manuals/reference/ch09#_chroot_system
http://wiki.debian.org/Debootstrap
+Undetermined Tags
+-----------------
+
+If you don't have time to fully research an issue, but it is abundantly
+clear (via CVE text or other announcement) that the issue affects a
+particular package or set of packages, the <undetermined> tag can be
+used. This has the advantage of entering the issue earlier in the
+output of debsecan and on the pts pages, which is useful for the small
+set of proactive maintainers paying attention to these information
+sources. Getting the maintainer involved hopefully prompts fastera
+fixes. This also allows enables tracking of multiple packages, some
+of which may already be fixed.
+
+<undetermined> can also be used when there simply is not enough
+information disclosed in the existing known references about the
+issue. Essentially, <undetermined> indicates that someone needs
+to come back and revisit the issue. An example undetermined
+entry is:
+
+CVE-2011-2351 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 ...)
+ - chromium-browser 12.0.742.112~r90304-1
+ - webkit <undetermined>
+ NOTE: webkit commit #123456
+
+The list of all of currently undetermined issues is aggregated at:
+http://security-tracker.debian.org/tracker/status/undetermined
+
+This is a good place for new contributors to get started since these
+are issues that can be pruned quickly for new information that may
+not have been known during the initial disclosure, and thus marked
+<unfixed> for further work or closed with a version number. Please
+add notes if you do change an undetermined issue to unfixed (unless
+you're also fixing the issue in the process, which is of course the
+ideal way to help/contribute).
+
Issues in ITP and/or RFP packages
---------------------------------
More information about the Secure-testing-commits
mailing list