[Secure-testing-commits] r36917 - data

Wed Sep 30 13:23:55 UTC 2015

Author: hertzog
Date: 2015-09-30 13:23:55 +0000 (Wed, 30 Sep 2015)
New Revision: 36917

Modified:
   data/dla-needed.txt
Log:
Don't duplicate instructions, let the wiki be the reference

Modified: data/dla-needed.txt
===================================================================

--- data/dla-needed.txt	2015-09-30 13:21:44 UTC (rev 36916)
+++ data/dla-needed.txt	2015-09-30 13:23:55 UTC (rev 36917)
@@ -4,7 +4,9 @@
 https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
 when working on an update.
 
-To pick an issue, simply add your name behind it.
+To pick an issue, simply add your name behind it. To learn more about how
+this list is updated have a look at
+https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
 binutils (Ben Hutchings)
@@ -38,53 +40,3 @@
 --
 squid (Santiago R.R.)
 --
-
-
-
-How is this list being updated?
--------------------------------
-
-Have a look at the distro view on squeeze:
-https://security-tracker.debian.org/tracker/status/release/oldstable
-
-It contains all security issues which are unfixed and which haven't been tagged
-as <no-dsa>. These are security issues which have a minor impact and aren't worthy
-an update on their own (e.g. if a security issue can only be exploited in rare
-circumstances or if it's only of minor impact). Examples:
-* A vulnerability in a server which is only exploitable in a rare or inherently
-  insecure setup
-* Local temp races allowing DoS
-* Minor denial of service issues
-
-It might also be the case that a package is heavily used in stable, but has no
-reverse deps in oldstable and was introduced on a rather experimental basis.
-
-no-dsa doesn't mean that a security issue will remain unfixed. For standard stable
-and oldstable in Debian there are regular point updates which incorporate such
-minor fixes. There are no such point updates for Debian LTS, though. But if e.g.
-there's a minor issue in a package, it can be postponed using no-dsa and if there's
-later a more severe issue the issue formerly tagged as no-dsa can be fixed along.
-
-Keep in mind that every update may potentially introduce a regression and that
-every update involves work on the admin rolling out the updated package!
-
-
-So, if there's a security issue in a package listed at
-https://security-tracker.debian.org/tracker/status/release/oldstable which is not
-yet present in this file, so should do the following:
-
-I. Is the vulnerability present in the version in squeeze-lts? Often the vulnerable
-code has been introduced later. Don't blindly follow upstream advisories! Example:
-Software project X is currently at release 2.1.2 and provides updates for 2.0.x and
-2.1.x while squeeze-lts is at 1.8.x. Always check the code unless upstream explicity
-tells that e.g. the issue was introduced in 2.0 with git commit foobar.
-
-II. If the vulnerable code is present, does the vulnerability warrant a security
-update? If not, it can be tagged no-dsa. Issues tagged as no-dsa in stable might
-qualify as such, but you're free to use your own judgement.
-
-III. If the code is present and the issue is severe enough and not yet present
-in this file add it (preserving the alphabetical order). Even better, add yourself
-as the person working on a fixed package!
-
-


