[Secure-testing-commits] r31473 - doc/security-team.d.o

Luciano Bello luciano at moszumanska.debian.org
Sat Jan 17 23:44:11 UTC 2015 

Author: luciano
Date: 2015-01-17 23:44:11 +0000 (Sat, 17 Jan 2015)
New Revision: 31473

Modified:
   doc/security-team.d.o/dsa_release
   doc/security-team.d.o/security_tracker
Log:
documenting the change in the tracker with respect to experimental #718362

Modified: doc/security-team.d.o/dsa_release
===================================================================
--- doc/security-team.d.o/dsa_release	2015-01-17 23:38:45 UTC (rev 31472)
+++ doc/security-team.d.o/dsa_release	2015-01-17 23:44:11 UTC (rev 31473)
@@ -1 +1,12 @@
-https://wiki.debian.org/DebianSecurity/AdvisoryCreation
+# Steps to release a DSA
+To release 
+
+[TOC]
+
+Preparing fixed packages
+------------------------
+ Doable by any DD
+
+Testing fixed packages
+----------------------
+ Doable by any DD

Modified: doc/security-team.d.o/security_tracker
===================================================================
--- doc/security-team.d.o/security_tracker	2015-01-17 23:38:45 UTC (rev 31472)
+++ doc/security-team.d.o/security_tracker	2015-01-17 23:44:11 UTC (rev 31473)
@@ -159,7 +159,7 @@
 
 ### Packages in the archive
 
-If the vulnerability refers to a package in the Debian archive, look
+If the vulnerability refers to a package in the Debian archive (except for experimental, [see later](#packages-in-experimental-only)), look
 to see if the package is affected or not (sometimes newer versions that
 have the fixes have already been uploaded).
 
@@ -250,6 +250,22 @@
 you're also fixing the issue in the process, which is of course the
 ideal way to help/contribute).
 
+### Packages in Experimental only
+There are some packages that only exists in experimental. In that 
+case, place the distribution tag `experimental`. For example:
+
+    CVE-2013-1067 (Apport 2.12.5 and earlier uses weak permissions for core dump files ...)
+            [experimental] - apport 2.12.6-1 (bug #727661)
+
+If the package is in unstable *and* in experimental, focus on unstable (we are 
+not tracking fixes in experimental). A note about the situation in experimental
+is appreciate. For example:
+
+    CVE-2014-8564 (The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS ...)
+            - gnutls28 <unfixed> (bug #769154)
+            NOTE: in experimental fixed in 3.3.10-1
+
+
 ### Issues in ITP and/or RFP packages
 
 If an issue is discovered in a package that has an RFP or ITP already filed,

More information about the Secure-testing-commits mailing list