[Git][security-tracker-team/security-tracker][updatedocs] Update for review comments

Neil Williams (@codehelp) codehelp at debian.org
Wed Feb 16 07:44:12 GMT 2022 


Neil Williams pushed to branch updatedocs at Debian Security Tracker / security-tracker


Commits:
d188babe by Neil Williams at 2022-02-16T07:44:02+00:00
Update for review comments

- - - - -


1 changed file:

- doc/security-team.d.o/security_tracker


Changes:

=====================================
doc/security-team.d.o/security_tracker
=====================================
@@ -25,10 +25,6 @@ For example, systems with some additional or modified packages compared to Debia
 a separate triage process for every NFU to find ones which are relevant to what has
 been added as well as a triage on packages which differ from Debian.
 
-When a vulnerability relates to a package, the triage will need to include an
-assessment of the severity of the vulnerability as it affects Debian. See [Severity
-levels](#security-levels).
-
 Entries in the Debian Security Tracker do not imply anything about how a vulnerability
 may affect systems other than Debian.
 
@@ -437,12 +433,10 @@ assess these levels.
 Certain packages may get higher or lower rating than usual, based on
 their importance.
 
-Assessments of severity are made against the binaries as provided by Debian. A
-vulnerability where an exploit would rely on changing configuration in a non-standard
-way or rebuilding the binary from source to enable|disable some feature is not
-considered to be of high severity. For each vulnerability, the severity assigned within
-the Debian Security Tracker only relates to how Debian views that vulnerability and how
-quickly the fix may need to be applied to the specified package(s) within Debian.
+Assessments of severity are made against the binaries as provided by Debian. For each
+vulnerability, the severity assigned within the Debian Security Tracker only relates to
+how Debian views that vulnerability and how quickly the fix may need to be applied to
+the specified package(s) within Debian.
 
 ### Vulnerabilities without an assigned CVE id
 
@@ -569,8 +563,8 @@ Summary of tracker syntax
 
 For a vulnerability in a package in Debian or proposed for introduction into Debian,
 the syntax should contain at least the `PKG_NAME` tabbed line and a `NOTE:` providing a
-URL to the fixing commit. Other lines are added, where relevant, within the general
-syntax.
+URL to useful references, like commit references, bug tracker entries and advisories.
+Other lines are added, where relevant, within the general syntax.
 
     CVE-YYYY-NNNNNN [(description)]
      \t RESERVED
@@ -588,7 +582,10 @@ syntax.
 - The pre-commit hook will check the syntax of each entry.
 
 The description of the CVE is not edited in the security tracker but it will be
-shortened in the tracker page for the vulnerability.
+shortened in the tracker page for the vulnerability. A temporary description can be
+added with the `[description]` syntax, for example for clarification. This will not be
+overridden by an automatic update unless there is a change in the description of the
+CVE in the MITRE feed
 
 For `<itp>`, the comment needs to include the bug number as `(bug #NNNNNNNNNN)`.
 
@@ -604,8 +601,9 @@ mailing list and IRC notifications (see [Automatic issue updates](#automatic-iss
 However, changes to the tracker website itself (e.g., the files in `lib/*`
 and `bin/tracker_service.py`) should be vetted and approved before being
 committed. The preferred way to do this is to send a patch to the
-`debian-security-tracker at lists.debian.org` mailing list.
+`debian-security-tracker at lists.debian.org` mailing list or a merge request in Salsa.
 
+- [Salsa](https://salsa.debian.org/security-tracker-team/security-tracker/)
 - [https://lists.debian.org/debian-security-tracker/](https://lists.debian.org/debian-security-tracker/)
 
 Commits are checked for syntax errors before they are actually committed,
@@ -733,7 +731,7 @@ project.
 * `./bin/report-vuln` - generate the correct email body to report a bug against a source package
   relating to an unfixed CVE(s).
 
-### Useful search support for checking new CVES
+### Useful search support for checking new CVEs
 
 - [https://www.debian.org/distrib/packages#search_packages](https://www.debian.org/distrib/packages#search_packages)
 - [https://wnpp.debian.net/](https://wnpp.debian.net/) (Be aware, forwarded ITPs might



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d188babe55290bc94a7f28c6ba2e031816ceacf7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d188babe55290bc94a7f28c6ba2e031816ceacf7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220216/62ae77b7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list