Author: gilbert-guest Date: 2010-04-11 23:48:31 +0000 (Sun, 11 Apr 2010) New Revision: 14458 Modified: doc/narrative_introduction Log: remove claiming discussion from documentation since that is never used anymore and clarify module tracking Modified: doc/narrative_introduction ==================================================================--- doc/narrative_introduction 2010-04-11 22:37:44 UTC (rev 14457) +++ doc/narrative_introduction 2010-04-11 23:48:31 UTC (rev 14458) @@ -105,37 +105,24 @@ The Mitre update typically manifests in new CVE entries. So what we do is to update our svn repository and then edit data/CVE/list and look for new TODO entries. These will often be in blocks of 10-50 or so, -depending on how many new issues they have assigned. Depending on how -you feel you will "claim" a block of say 10 new entries by -putting your name in the file at the beginning and the end of the new -TODO entries and then commit the repository. This looks like this: +depending on how many new issues they have assigned. -begin claimed by jmm -CVE-2005-4066 (Total Commander 6.53 uses weak encryption to store FTP -usernams and ...) - TODO: check -CVE-2005-4065 (SQL injection vulnerability in the search module in -Edgewall Trac ...) - TODO: check -CVE-2005-4030 (SQL injection vulnerability in Quicksilver Forums -before 1.5.1 allows ...) - TODO: check -end claimed by jmm +IMPORTANT: make sure to read: +http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html -Once these are checked-in, then others will not do work on these TODO -issues. - -IMPORTANT: make sure to read: http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-May/002394.html - -Issues Not-For-Us (NFU) +Issues NOT-FOR-US (NFU) ----------------------- -Processing your claimed entries is done by first seeing if the issue -is related to any software packaged in Debian, if it isn''t a package -in Debian and has no ITP then you note that in the file. Another case -are meta packages that only provide a downloader (e.g. flashplugin-nonfree). -There is no way to mark such packages as we have no influence on the version -and technically the code is not present in Debian. +Processing entries is done by first seeing if the issue is related to any +software packaged in Debian. If it isn''t a package in Debian and has no +ITP then you note that in the file with a ''NOT-FOR-US:'' tag. Third-party +modules are not yet packaged for Debian are also tagged as NFU; even if +their parent software is packaged for Debian. The module names should be +mentioned in the NFU note in order to make issues apparent if that module +should ever receive a propper package. Another case are meta packages +that only provide a downloader (e.g. flashplugin-nonfree). There is no +way to mark such packages as we have no influence on the version and +technically the code is not present in Debian. Example: @@ -147,8 +134,7 @@ See "bin/check-new-issues -h". For the search functions in check-new-issues to work, you need to have unstable in your sources.list and have done "apt-get update" and "apt-file update". -Having libterm-readline-gnu-perl installed helps, too. Unfortunately, -check-new-issues does not yet support the "claimed by" tags mentioned above. +Having libterm-readline-gnu-perl installed helps, too. Please also make sure to check the wnpp list for possible <itp> items and the ftp-master removal list to see if the issue way maybe present in the past