Author: gilbert-guest Date: 2011-07-28 05:08:01 +0000 (Thu, 28 Jul 2011) New Revision: 17015 Modified: doc/narrative_introduction Log: document <undetermined> Modified: doc/narrative_introduction ==================================================================--- doc/narrative_introduction 2011-07-27 21:14:21 UTC (rev 17014) +++ doc/narrative_introduction 2011-07-28 05:08:01 UTC (rev 17015) @@ -158,6 +158,41 @@ http://www.debian.org/doc/manuals/reference/ch09#_chroot_system http://wiki.debian.org/Debootstrap +Undetermined Tags +----------------- + +If you don''t have time to fully research an issue, but it is abundantly +clear (via CVE text or other announcement) that the issue affects a +particular package or set of packages, the <undetermined> tag can be +used. This has the advantage of entering the issue earlier in the +output of debsecan and on the pts pages, which is useful for the small +set of proactive maintainers paying attention to these information +sources. Getting the maintainer involved hopefully prompts fastera +fixes. This also allows enables tracking of multiple packages, some +of which may already be fixed. + +<undetermined> can also be used when there simply is not enough +information disclosed in the existing known references about the +issue. Essentially, <undetermined> indicates that someone needs +to come back and revisit the issue. An example undetermined +entry is: + +CVE-2011-2351 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 ...) + - chromium-browser 12.0.742.112~r90304-1 + - webkit <undetermined> + NOTE: webkit commit #123456 + +The list of all of currently undetermined issues is aggregated at: +http://security-tracker.debian.org/tracker/status/undetermined + +This is a good place for new contributors to get started since these +are issues that can be pruned quickly for new information that may +not have been known during the initial disclosure, and thus marked +<unfixed> for further work or closed with a version number. Please +add notes if you do change an undetermined issue to unfixed (unless +you''re also fixing the issue in the process, which is of course the +ideal way to help/contribute). + Issues in ITP and/or RFP packages ---------------------------------