Author: gilbert-guest
Date: 2009-09-13 19:07:35 +0000 (Sun, 13 Sep 2009)
New Revision: 12800
Modified:
doc/narrative_introduction
Log:
narrative_introduction
- update on removed-packages file
- clean up some formatting and grammar
Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction 2009-09-13 18:25:37 UTC (rev 12799)
+++ doc/narrative_introduction 2009-09-13 19:07:35 UTC (rev 12800)
@@ -60,8 +60,8 @@
password twice. This is normal and to be expected. After successfully
downloading, you will have a new directory called secure-testing. Inside
this directory are a number of subdirectories. The data directory is
-where we do most of our work. If you don''t have Alioth account, you
can
-create one at:
+where we do most of our work. If you don''t have an Alioth account,
you
+can create one at:
https://alioth.debian.org/account/register.php
@@ -102,6 +102,7 @@
Automatic Issue Updates
-----------------------
+
Twice a day a cronjob runs that pulls down the latest full CVE lists
from Mitre, this automatically gets checked into data/CVE/list, and
also syncs that file with other lists like data/DSA/list and
@@ -122,6 +123,7 @@
Processing TODO entries
-----------------------
+
The Mitre update typically manifests in new CVE entries. So what we do
is to update our svn repository and then edit data/CVE/list and look
for new TODO entries. These will often be in blocks of 10-50 or so,
@@ -149,6 +151,7 @@
Issues Not-For-Us (NFU)
-----------------------
+
Processing your claimed entries is done by first seeing if the issue
is related to any software packaged in Debian, if it isn''t a package
in Debian and has no ITP then you note that in the file. Another case
@@ -175,6 +178,7 @@
Reserved entries
----------------
+
Several security problems have coordinated dates of public disclosure,
i.e. a CVE identifier has been assigned to a problem, but it''s not
public yet. Also, several vendors have a pool of CVE ids they can
@@ -186,6 +190,7 @@
Rejected entries
----------------
+
Sometimes there are CVE assignments that later turn out to be duplicates,
mistakes or non-issues. These items are reverted and turned into REJECTED
entries:
@@ -195,6 +200,7 @@
ITP packages
------------
+
If it is a package that someone has filed an RFP or ITP for, then that
is also noted, so it can be tracked to make sure that the issue is
resolved before the package enters the archive:
@@ -206,6 +212,7 @@
Packages in the archive
-----------------------
+
If it is a package in Debian, look to see if the package is affected or
not (sometimes newer versions that have the fixes have already been
uploaded).
@@ -257,6 +264,9 @@
<not-affected> is also used if a vulnerability was fixed before a
package was uploaded into the Debian archive.
+Removed packages
+----------------
+
Sometimes there are cases, where a vulnerability hasn''t been fixed
with
a code change, but simply by deciding that a package is that broken that
it needs to be removed from the archive entirely. This is tracked with
@@ -265,11 +275,6 @@
CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote
authenticated ...)
- openwebmail <removed>
-After a new Debian release, some packages vanish from the database,
-and consistency checks might fail. In this case, a single <removed>
-entry needs to be added to an input file, or the package name should
-be included in the data/packages/removed-packages file.
-
Also note that it is sufficient to mark a package as removed in unstable.
The tracker is aware of which package is present in which distribution
and marks other distributions that still contain the package automagically
@@ -280,8 +285,16 @@
will track oldstable as affected, but stable and unstable as not-affected.
+Once a package has been completely removed from all currently supported
+debian releases, it should be tracked in the data/packages/removed-packages
+file. This file lists all packages (one source package per line) that were
+at one time in a debian release, but no longer exist in any supported
+version. Additions to this file can be used to address failing consistency
+checks after a new release.
+
Severity levels
---------------
+
These levels are mostly used to prioritize the order in which security
problems are resolved. Anyway, we have a rough overview on how you should
assess these levels.
@@ -326,6 +339,7 @@
NOTE and TODO entries
---------------------
+
There are many instances where more work has to be done to determine
if something is affected, and you might not be able to do this at the
time. These entries can have their TODO line changed to something
@@ -351,6 +365,7 @@
CVE assignments
---------------
+
Debian can only assign CVE names from its own pool for issues which
are not public. To request a CVE from the Debian pool, write to
<security at debian.org> and include a description which follows CVE
@@ -374,6 +389,7 @@
Distribution tags
-----------------
+
Our data is primarily targeted at sid, as we track the version that
a certain issue was fixed in sid. The Security Tracker web site (see
below) derives information about the applicability of a vulnerability
@@ -392,6 +408,7 @@
Generated Reports
-----------------
+
All of this tracking information gets automatically parsed and
compared against madison to determine what has been fixed and what is
still waiting, this results in this website:
@@ -425,6 +442,7 @@
The DSA list
------------
+
We maintain a list of all DSA advisories issued by the stable security
team. This information is used to derive information about the state
of security problems for the stable and oldstable distribution. An
@@ -458,6 +476,7 @@
Checking your changes
---------------------
+
Commits are checked for syntax errors before they are actually committed,
and you''ll receive an error and your commit is aborted if it is in
error.
To check your changes yourself beforehand, use "make check-syntax"
from
@@ -465,6 +484,7 @@
Following up on security issues
-------------------------------
+
By simply loading this page and doing a little gardening of the
different issues many things can be done. One thing is that you can
read all the bug reports of each issue and see if new information has
@@ -499,6 +519,7 @@
IRC Channel
-----------
+
We hang-out on #debian-security on OFTC, stop by the IRC channel if
you''d like, also we can add you to the alioth project so you have svn
write permission and you can test drive it on the testing issues for