Author: gilbert-guest Date: 2009-04-19 23:28:54 +0000 (Sun, 19 Apr 2009) New Revision: 11654 Modified: doc/narrative_introduction Log: some updates to wording of the narrative_introduction Modified: doc/narrative_introduction ==================================================================--- doc/narrative_introduction 2009-04-19 23:27:56 UTC (rev 11653) +++ doc/narrative_introduction 2009-04-19 23:28:54 UTC (rev 11654) @@ -192,14 +192,25 @@ Bug numbers can be added as in the example above. To avoid duplicate bugs, "bug filed" can be added instead of "bug #123456" when the bug report has -been sent but the bug number is not yet known. The bug numbers are used -to add additional references for the overview page and the Security Bug -Tracker and they are parsed by a script that generates user tags "tracked" -for the user debian-security at lists.debian.org. This way you can generate -a BTS query for all issues in the BTS that are tagged "security" and are -not yet added to our tracker: +been sent but the bug number is not yet known (however, it is more +desirable to file the bug, wait for the BTS to assign a number, then update +the entry in the CVE list so that complete information is always available +in the tracker). The bug number is important because it makes it clear +that the maintainer has been contacted about the problem, and that they are +aware of their responsibility to work swiftly toward a fix. The bug +numbers are also used to add additional references for the overview page +and the Security Bug Tracker. They are parsed by a script that generates +user tags "tracked" for the user debian-security at lists.debian.org, which +enables BTS users to generate a query for all of the issues that are tagged +"security" but not yet added to the tracker: http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security;users=debian-security at lists.debian.org;exclude=tracked +Since CVEs often drop in bulk, submission of multiple CVEs in a single bug +report is permissable and encouraged. However, some maintainers have +indicated a preference for only one issue per bug report. The following +is a list of packages for which each CVE should be reported separately: + - php5 + A special exception is made for kernel related issues. The kernel-sec group will take care of them and file bugs if needed.